> I was just searching for swap-encryption-solutions in the lkml-archive.
> Did I get the point saying ther's no way to do swap encryption
> in linux right now? (Well, a swapfile in an encrypted kerneli
> partition r something like that is not really what I want to
> do I think).
What's the benefit? Sure, attackers have to know that encrypted swap is
in use, and have to be able to find the key in memory, but they already
can do both if they're root, and non-root can't [shouldn't be able to]
read swap devices on a properly secured machine. Swap isn't meant for
storage across reboots/remounts, which is the only reason I can think of
for using encrypted loopback. Once it's mounted, unless you have to enter
the password for every write, or unless it locks after some period of
inactivity (locking swap and requiring the password to unlock it sounds
like a fun proposition when the vm needs to swap), it's insecure until
it's locked/unmounted again. Unmounting swap in a running system isn't
typical behavior.
justin
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/