Rootwrap is a security wrapper designed to allow a service-specific unprivileged user to run a number of actions as the root user in the safest manner possible mitigating EoP such as when an attacker takes advantage of a running service with root privileges. The rootwrap.conf file contains filter definition directories and specifies command filters to be loaded for them. Since the configuration file is in the trusted security path, it needs to be owned and writeable only by the root user to avoid tampering. On a host Linux machine, enable encryption for a home directory when creating a privileged user to mitigate information disclosure threat.

For example, on Ubuntu use the following command:

adduser --encrypt-home

You might want to encrypt not the whole Home directory but only a specific folder of files. In such case you can use the ~/.Private folder to store keys and configuration files. The data stored in this folder will be decrypted when the folder is automatically mounted on logon.