Problem:

Hello team,

I'm trying to secure my developer account, the Linux home directory is sitting on top a LUKS encrypted partition.

The idea is that if the machine is stolen then the thief will get a nice bricked system as the encrypted file-system password is asked every time the machine reboots.

Ideally would like to confine any new file creation commands (git clone, cp, tar, etc.) to work only on the home directory and nowhere else on the local file-system.

So what are my options?

• Developers do not have directories where they can write files except the /tmp partition, but encrypting it too may be overkill.
• Can this be enforced with an SE Linux policy?
• GIT_DIR & GIT_WORK_TREE environment variables could be used but that will make things complicated AND does not prevent accidental tar, cp
• I also looked into several implementations of 'encrypted git' like gcrypt but I don't know how mature are those projects. And again once repository is cloned out, you can cp, tar the files outside the encrypted area.

Is this feasible?

Maybe I'm looking at the problem with the wrong perspective, any tips will be really appreciated.

Thanks!

I would recommend making the rootfs read-only and /home read-write.
/tmp should be mounted with a tempfs
https://askubuntu.com/questions/173094/how-can-i-use-ram-storage-for-the-tmp-directory-and-how-to-set-a-maximum-amount