Goal: Encrypt/secure and access sensitive files (PDFs, etc.) locally.
Method 1: Store files in a VeraCrypt file-hosted volume (container).
Concern: Data Leaks. When mounting and reading files from a VeraCrypt container, there is a possibility that
. . . operating system and third-party applications may write to unencrypted volumes (typically, to the unencrypted system volume) unencrypted information about the data stored in the VeraCrypt volume . . . or the data itself in an unencrypted form (temporary files, etc.) . . .
Method 2 Store VeraCrypt container as an attachment inside a KeePass 2.x database.
When accessing a file attachment inside a KeePass 2.x database, the following message appears:
KeePass has extracted the attachment to a (EFS-encrypted) temporary file and opened it using an external application. After view/editing and closing the file in the external application, please choose how to continue:
Import: replace the attachment by the (modified) temporary file.
Discard Changes: discard changes made to the temporary file and do not modify the current attachment.
In any case, KeePass will securely delete the temporary file afterwards.
Questions
- Does method 2 address data leak vulnerabilities present when accessing files via method 1?
- Is there a "better" way to secure and access files?