For those of you who are using linux: Are you using secure boot? I.e. is your bootloader configured to only decrypt your disk and boot your OS, while blocking all “booting from USB stick” and such?
I’m asking because i’m considering a very specific attack vector, through which a sufficiently skilled agent (e.g. FBI, CIA) could install a keylogger into your OS and get access to your sensitive data that way, even when your disk is encrypted and without your knowledge.
I don’t see it as necessary. I have full disk encryption set up, which is sufficient to protect my data at rest. Even if I had secure boot set up, a sufficiently skilled agent could physically install a USB sniffer in my keyboard, flash a malicious BIOS to my motherboard, or just install a hidden camera to watch me type my password. And many TPMs have vulnerabilities that I’m sure government agencies are able to exploit.