Full disk encryption plus making the system partition non-persistent will clear any malware at reboot and no traces of keys will be left. However, in the short time that any malware is active it has full access to all user data and can steal anything. Whereas if user files are encrypted individually, then malware can only steal the file you're working on. 1. Is there a tool that will automatically do per-file encryption (or per-folder encryption) for an entire partition? 2. Can the same password be used for all individual files/folders or must it be different because malware can derive the password from the key?