Best practices with respect to hard drive reconstruction

Question

I would like to be able to store encrypted information on my computer, that no one else is able to read without the right password, even if they have complete access to the computer.

There are of course many programs that claim to (/are claimed to) achieve this. And of course, they probably achieve this within their narrowly defined scopes.

Question: once I have decrypted an encrypted file, how do I make sure that the information is not written in plain text to hard drive somewhere?

(it seems this could happen for several reasons, for example in memory/hard drive swapping, or by human error)

If I understand correctly, hard drive content can be recovered even after several rewrites.

Related question: can one safely assume that information stored in RAM cannot be recovered once overwritten?

Related question: what other similar traps might one fall into when trying to use encryption software?

I use Ubuntu, but ideally I am looking for principles that will avoid stupid mistakes.

Answer 1

Question: once I have decrypted an encrypted file, how do I make sure that the information is not written in plain text to hard drive somewhere?

You use full disk encryption, so that no matter where it is written, it will be written encrypted. This includes swap and all user writeable spaces - excluding only a small boot partition that is not encrypted.

If you do not encrypt the whole disk, you have the risk of remapping sectors leaving unencrypted data around, or that it's written to the wrong location. Encryption does not provide enough overhead to negate the benefits of it.

Related question: can one safely assume that information stored in RAM cannot be recovered once overwritten?

Yes, that's an safe assumption. Also it's fairly irretrievable once the computer has been powered off for >minutes.

Related question: what other similar traps might one fall into when trying to use encryption software?

Leaking key material, leaking cleartext, leaking passphrases, backdoors and similar. It depends a lot on what crypto system. If you use encrypted e-mail it's fairly easy to secure against an attacker having access to only the ciphertext. It's a lot harder to secure against an attacker on your own computer.