Just mark those blocks as bad RAM and then the kernel will route around them.

Append only permissions.

Encrypted deltas.

Basically the time of the connection is the name of the only that folder that you have access to.

You can also setup a yubikey (or nitrokey) that requires you to physically process and would be immune to the host being compromised.

Them, completely failing to realize that isn’t the hard part.

This is

https://github.com/fosslinux/live-bootstrap

Because instead of a massive set of binary blobs, you have a small set of simple tools with easy to implement specifications. That result in everything you need.