Unencrypted files in cache / temp.
- os/version: ubuntu 22.10 (64 bit)
- os/kernel: 5.19.0-38-generic (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.19.4
- go/linking: static
- go/tags: none
(Yes, I will upgrade to 1.62.2 ASAP but that hardly matters for my question.)
My setup is a local encrypted remote which I mount to access and sync the encrypted remote to my Google Drive remote. That is, the data is only stored encrypted and I can thus work with locally by mounting the remote and restore it from a cloud backup but it should not be accessible to an outsider getting physical access to my laptop.
I noticed that the rclone cache/temp contains data unencrypted which of course thus would be accessible to anyone getting physical access. But deleting it after unmounting does not do that much - especially not with SSDs. I found the same concern in this thread but no solution: VFS encrypted cache
What I've thought of is the following and hopefully someone wiser than me can say how I should proceed or if some other alternative is even better?
1.) Create an encrypted file system with e.g. VeraCrypt for the rclone temporary directories. Complex, probably a performance hit and I'm not sure that I even avoid the problem then because I don't know how/if they store data unencrypted on disk temporarily too.
2.) I could create a partition with ramfs and configure rclone to use it for temp & cache and it would be gone when power is off. But since ramfs has no size limit, I could get problems unless I can limit rclone cache and temp somehow? AFAIK the limit setting is not absolute.
3.) Instead of ramfs I could use tmpfs for a rclone temp & cache partition and tmpfs can limit the partition size, but tmpfs can get swapped to disk which defeats the purpose of avoiding unencrypted data stored on disk.
I have 64 GB of RAM so I could easily allocate 10-20 GB for rclone to use when I mount a local encrypted remote and that would presumably give me the best performance but can't really rely on it due to the aforementioned problems with ramfs and tmpfs.
Edit: I've been googling more about ramfs and tempfs and found something which might work, if I've understood it correctly: I could create a ramfs and then create a fresh, empty disk image on it with e.g. an extr4 file system inside it and then mount it somewhere for rclone temp and cache. Its size would thus have a hard limit and after power off, nothing would be left?
Since I'm also trying to come up with a secure way to handle my rclone.conf and the passwords in it, maybe I could also place a copy of an unencrypted rclone.conf on it for rclone to use when I first mount the local remote and later sync it to Google Drive? So that when sync is completed the ramfs with the image is deleted and thus at most stays in memory until power-off.