Even with a fully encrypted system (root and swap partitions), your data is still vulnerable while your computer is on. That's why Bruce Schneier recommends a two-tier encryption strategy.

The idea is that infrequently used files are moved to a separate partition, encrypted with a different key. That way, the bulk of your data files is protected even if your laptop is hijacked or if an intruder manages to steal some files while your main partition is decrypted.

On Debian and Ubuntu, a secure archive area can be created easily using an encrypted loopback partition and the cryptmount package.

Add this to /etc/cryptmount/cmtab:

archives {
  dev=/home/francois/.archives
  dir=/home/francois/archives
  fstype=ext4
  fsoptions=defaults,noatime

  keyfile=/home/francois/.archives.key
  keyformat=builtin
  keyhash=sha512
  keycipher=aes-xts-plain64
  cipher=aes-xts-plain64
}

Create the key and the 3GB loopback partition:

sudo cryptmount --generate-key 32 archives
sudo chown francois:francois .archives.key
dd if=/dev/zero of=.archives bs=1G count=3
mkdir archives
sudo cryptmount --prepare archives
sudo mkfs.ext4 -m 0 /dev/mapper/archives
sudo cryptmount --release archives

Fix the permissions so that you can write to this partition with your normal user account:

cryptmount archives
cd archives
sudo chown francois:francois .
cryptmount -u archives

Then you can mount and umount that partition using:

cryptmount archives

and:

cryptmount -u archives