[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Pkg-gnupg-maint] Bug#598471: using insecure memory on GNU/kFreeBSD

2010/11/13 Werner Koch <wk@gnupg.org>:
> I can't see why encrypting the swap puts an additional burden on the
> user or on the machine.

This depends on whether it's the default setting or not.  If it's not,
it definitely does (just the burden of figuring out what the heck is
wrong is already significant for many users).

> Even without having done any benchmarks
> I'd enable swap encryption by default.

I second that.  kFreeBSD disk encryption supports generating
one-time keys, which works well for swap:

  geli onetime -s 4096 /dev/something
  swapon /dev/something.eli

For that we're missing a port of "geli" utility, figuring out some init.d
magic that would replace (or integrate with) "swapon -a", and
integration with D-I to set the whole thing up.

I don't have time to work on this myself. Unless someone else does,
I'd still recommend adding the SUID bit as a temporary solution.

What do debian-bsd folks think about this?

P.S. I suggest you update that FAQ ; -)

Robert Millan

Reply to: