Re: wait until swapoff is *actually* finished (it returns too early)?
Pierre-Elliott Bécue dixit:
>> In a cronjob, I basically do swapoff && cryptdisks_stop && \
>> cryptdisks_start && swapon for both swaps individually to throw away
>> the old encryption key regularily (but not too frequently).
>
>Ooc, what do you expect to actually gain from this setup?
Encryption key rotation. Pages encrypted with the old key
are no longer readable afterwards. This is for long-running
VMs, on hoster infra, mostly (so the hoster could snapshot
the storage any time (ok, they could also snapshot the RAM,
but…)).
This is to get a bit closer to swapencrypt on BSD, which
uses separate keys for each page or set of pages, AIUI.
bye,
//mirabilos
--
Solange man keine schmutzigen Tricks macht, und ich meine *wirklich*
schmutzige Tricks, wie bei einer doppelt verketteten Liste beide
Pointer XORen und in nur einem Word speichern, funktioniert Boehm ganz
hervorragend. -- Andreas Bogk über boehm-gc in d.a.s.r
Reply to: