[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SlightlyOT: [was] How do I encrypt the swap (partition[s]) under SuSE 9.3 Prof ?

Hash: SHA1

El 005-11-19 a las 06:36 -0200, Ariel Sabiguero Yawelak escribió:

> > You might consider erasing the swap partition when powering off, using
> > for the purpose "/etc/init.d/halt.local". The perfomance while in use
> > will be better, but halting will be much slower.
> > 
> Again you are not 100% sure.
> It has been discussed several times about the posibility of un-erasing erased
> data, but we can consider that unerasing and trying to recover data from swap
> might be not very useful.

Erasing the swap, as it is not a file, and because we are talking 
security here, means overwriting the swap data with something else. Even 
in that case, data is recoverable, if you have the means; but I suppose 
the ordinary thief picking a portable does not have those means, and if he 
has those means then he is not ordinary thief and even encryption will not 
deter him much.

> But on the other hand, you are leaving your information thief-readable
> whenever halt.local is not executed. If the system does not shut down clearly,
> or the thief knows that he has to unplug the cable (remove the batery) instead
> of initing-6 he is done.

If the thief can get to my PC while running, I have bigger worries. He 
might be armed! 

> Ok, you can say that whenever *you* shut down the system, then it is "safe",
> and I agree :-)
> It is only a matter of how much you want to be secure and all-data-encription
> is the way to be MORE confident on the solution.

Yes. But I'm not that "paranoid".

As I use "suspend to disk", what worries me is that the password to the 
encrypted partitions is saved in clear in the swap partition - this a 
pending problem. And encrypting the swap partition would not solve it, 
because then I could not suspend to disk, and also I fear that swapping 
would be much slower.

- -- 
       Carlos Robinson

Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Made with pgp4pine 1.76


Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here