Re: LVM+RAID+CRYPT

To: debian-user@lists.debian.org
Subject: Re: LVM+RAID+CRYPT
From: Stan Hoeppner <stan@hardwarefreak.com>
Date: Fri, 08 Jan 2010 15:32:13 -0600
Message-id: <[🔎] 4B47A45D.4090107@hardwarefreak.com>
In-reply-to: <[🔎] 1262980432.15072.64.camel@corn.betterworld.us>
References: <[🔎] 201001081213.14162.sjors@desjors.nl> <[🔎] 4B47166D.8070401@hardwarefreak.com> <[🔎] 1262980432.15072.64.camel@corn.betterworld.us>

Ross Boylan put forth on 1/8/2010 1:53 PM:
> On Fri, 2010-01-08 at 05:26 -0600, Stan Hoeppner wrote:
>>
>> Never run encryption on swap.  Doing so merely burdens performance.  I
>> doubt
>> even NSA, CIA, MI6 encrypt swap partitions on workstations.

> This is completely contrary to the advice of the encryption folks.  

Car salesmen want to sell you a new car too, not that you necessarily need a new
one.

> You MUST encrypt swap in order for your system to be secure; otherwise
> secrets in RAM may be recoverable from the swap partition.

*MUST*?  Always be careful when stating absolutes.  There is always more than
one way to skin a cat.  Such as adding the following to rc.local:

/sbin/swapoff -a
/bin/dd if=/dev/zero of=/dev/sda5

changing sda5 to your swap partition device ID or filename if you're using a
swap file instead of a partition.  Depending on your disk speed and swap device
size it'll add anywhere from 15 secs up to a minute or so to your shutdown time.
 But your swap will be zero'd.  Zeros can't be decrypted, even if a cracker
somehow got hold of the keys to the kingdom. ;)

--
Stan

Reply to:

Follow-Ups:
- Re: LVM+RAID+CRYPT
  - From: Mark Allums <mark@allums.com>

References:
- LVM+RAID+CRYPT
  - From: Sjors van der Pluijm <sjors@desjors.nl>
- Re: LVM+RAID+CRYPT
  - From: Stan Hoeppner <stan@hardwarefreak.com>
- Re: LVM+RAID+CRYPT
  - From: Ross Boylan <ross@biostat.ucsf.edu>

Prev by Date: Re: LVM+RAID+CRYPT
Next by Date: Hosting in the US
Previous by thread: Re: LVM+RAID+CRYPT
Next by thread: Re: LVM+RAID+CRYPT
Index(es):
- Date
- Thread