Re: LVM+RAID+CRYPT
Ross Boylan put forth on 1/8/2010 1:53 PM:
> On Fri, 2010-01-08 at 05:26 -0600, Stan Hoeppner wrote:
>>
>> Never run encryption on swap. Doing so merely burdens performance. I
>> doubt
>> even NSA, CIA, MI6 encrypt swap partitions on workstations.
> This is completely contrary to the advice of the encryption folks.
Car salesmen want to sell you a new car too, not that you necessarily need a new
one.
> You MUST encrypt swap in order for your system to be secure; otherwise
> secrets in RAM may be recoverable from the swap partition.
*MUST*? Always be careful when stating absolutes. There is always more than
one way to skin a cat. Such as adding the following to rc.local:
/sbin/swapoff -a
/bin/dd if=/dev/zero of=/dev/sda5
changing sda5 to your swap partition device ID or filename if you're using a
swap file instead of a partition. Depending on your disk speed and swap device
size it'll add anywhere from 15 secs up to a minute or so to your shutdown time.
But your swap will be zero'd. Zeros can't be decrypted, even if a cracker
somehow got hold of the keys to the kingdom. ;)
--
Stan
Reply to: