Re: encrypted swap

Thomas Pornin (Thomas.Pornin@ens.fr)
Tue, 7 Aug 2001 21:15:44 +0200


In article <D52B19A7284D32459CF20D579C4B0C0211C9A8@mail0.myrio.com> you write:
> Now that laptop is stolen at an airport.

This is indeed the target of choice for a disk-encrypting software.
But you need to encipher three zones:
-- the swap space, as you stated
-- the whole filesystem itself, because you do not know if your favorite
word-processor won't create temporary files (well, maybe you can
limit yourself to /home and /tmp)
-- the zone that the machine uses for the "suspend to disk" option ;
and I guess that one will be tricky. A potential solution, which covers
also the "suspend to memory" option, is to encipher all data in physical
memory when there is a suspend operation. Only the kernel, including
the code wich asks for the deciphering key, remains clear.

About performance: modern cryptosystem on modern cpus run at about
2 cycles per bit of data.

--Thomas Pornin
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/