[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SlightlyOT: [was] How do I encrypt the swap (partition[s]) under SuSE 9.3 Prof ?

Hash: SHA1

The Monday 2005-11-21 at 10:17 +0100, Dirk Schreiner wrote:

> >>> You might consider erasing the swap partition when powering off, using
> >>> for the purpose "/etc/init.d/halt.local". The perfomance while in use
> >>> will be better, but halting will be much slower.
> >>>
> Erasing is no good idea. Too much can go wrong,
> and you never will find out.


The only thing I can think is that it can not erase for some reason.

> [...]
> >> But on the other hand, you are leaving your information thief-readable
> >> whenever halt.local is not executed. If the system does not shut down clearly,
> >> or the thief knows that he has to unplug the cable (remove the batery) instead
> >> of initing-6 he is done.
> > 
> > If the thief can get to my PC while running, I have bigger worries. He 
> > might be armed! 
> > 
> So you shutdown youre system whenever going to toilet.
> Or for a cup of coffee......
> I know of stolen Laptops during working hours.

And I know of stolen motherboards from the inside of PCs. They took the 
insides and left the iron. With armed guards and entry control points in 
the premises.

No, as I said, I don't worry about that. As I said, if they can get to my 
PC while running to do "bad things", having information readable is the 
least of my worries. They could be armed, kidnap me, and force me to tell 
the passwords and anything.

> > Yes. But I'm not that "paranoid".
> You Should be!
> Or forget thinking about Security.

No! Everything is a compromise. You decide what level of security you want 
and need. I don't need that much security.

I I were working for a bank, or for defense, or a competitive 
investigation project, say, I'd be very paranoid. As I'm not, then I don't 
have to. I don't keep anything in my PC that a thief couldn't get 
otherwise. Bank accounts? He could stole my snail-mail instead, or search 
my desk and cupboards for papers.

> > As I use "suspend to disk", what worries me is that the password to the 
> > encrypted partitions is saved in clear in the swap partition - this a 
> > pending problem. And encrypting the swap partition would not solve it, 
> > because then I could not suspend to disk, and also I fear that swapping 
> > would be much slower.
> Give it a try. On most systems you can switch over in running
> state. (And also back ;-) )

I do use suspend to disk every day, it works fine. Once I suspended during 
a kernel compile. No problem, when it awoke, it continued running.

But if i used a encrypted swap partition, I could not suspend, because it 
would need the decryption password when awakening. The password needs to 
be manual, no automatic.

And otherwise, my system would be much slower when trashing or swapping. 
As I said, I'd be content with the password to my encrypted partition not 
being saved in the swap. That would satisfy my limited paranoia ;-)

- -- 
       Carlos Robinson
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Made with pgp4pine 1.76


Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here