[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] SlightlyOT: [was] How do I encrypt the swap (partition[s]) under SuSE 9.3 Prof ?
-----BEGIN PGP SIGNED MESSAGE-----
El 005-11-19 a las 06:36 -0200, Ariel Sabiguero Yawelak escribió:
> > You might consider erasing the swap partition when powering off, using
> > for the purpose "/etc/init.d/halt.local". The perfomance while in use
> > will be better, but halting will be much slower.
> Again you are not 100% sure.
> It has been discussed several times about the posibility of un-erasing erased
> data, but we can consider that unerasing and trying to recover data from swap
> might be not very useful.
Erasing the swap, as it is not a file, and because we are talking
security here, means overwriting the swap data with something else. Even
in that case, data is recoverable, if you have the means; but I suppose
the ordinary thief picking a portable does not have those means, and if he
has those means then he is not ordinary thief and even encryption will not
deter him much.
> But on the other hand, you are leaving your information thief-readable
> whenever halt.local is not executed. If the system does not shut down clearly,
> or the thief knows that he has to unplug the cable (remove the batery) instead
> of initing-6 he is done.
If the thief can get to my PC while running, I have bigger worries. He
might be armed!
> Ok, you can say that whenever *you* shut down the system, then it is "safe",
> and I agree :-)
> It is only a matter of how much you want to be secure and all-data-encription
> is the way to be MORE confident on the solution.
Yes. But I'm not that "paranoid".
As I use "suspend to disk", what worries me is that the password to the
encrypted partitions is saved in clear in the swap partition - this a
pending problem. And encrypting the swap partition would not solve it,
because then I could not suspend to disk, and also I fear that swapping
would be much slower.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Made with pgp4pine 1.76
-----END PGP SIGNATURE-----
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here