For those of you who are using linux: Are you using secure boot? I.e. is your bootloader configured to only decrypt your disk and boot your OS, while blocking all “booting from USB stick” and such?
I’m asking because i’m considering a very specific attack vector, through which a sufficiently skilled agent (e.g. FBI, CIA) could install a keylogger into your OS and get access to your sensitive data that way, even when your disk is encrypted and without your knowledge.
Secure boot can be made secure in principle. The internal disk is encrypted, the bootloader stores the cryption key internally. When you change which OS is booted, the bootloader refuses to give out the key or deletes the key altogether. For one, you would immediately noticed that your OS was tampered with. For two, even when an alternative OS manages to boot, it can’t read your data.