[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: encrypting swap

To: "'Alexander Schreiber'" <Alexander.Schreiber@Informatik.TU-Chemnitz.DE>
Subject: RE: encrypting swap
From: "Strohm Thomas (FV/SLD) *" <Thomas.Strohm@de.bosch.com>
Date: Thu, 17 Aug 2000 10:15:20 +0200
Cc: kernel-audit@nl.linux.org
Sender: owner-kernel-audit@nl.linux.org

> From: Alexander Schreiber
>
> The idea is not to protect you from someone gaining access as 
> root to the
> _running_ machine. Rather the scenario is as follows:
> 
> - you have a machine with sensitive data - a laptop for instance
> - whenever the machine is running, it is sufficiently secure from 
>   direct unauthorized access (because it is locked down real tight ->
>   no unauthorized remote root access, you are sitting in front of it
>   -> no unauthorized console acces),
> - what happens if someone gains physical access to the 
> machine after you
>   turned it off - for instance it gets stolen?
>   - attacker has physical access, so he can do _everything_ 
> to the system
>     to get at your data
>   - all filesystems are encrypted, so no way to access them
>   - _but_ the swap is normally wide open and very likely contains some
>     sensitive data (paged out pages from processes handling 
> said data),
>     maybe even the password to access the filesysystems
>  
> This is where encrypted swap comes in: without the key, even 
> the swapspace
> contains only garbage. The key is generated new at each boot 
> (with enough
> random in it, maybe by doing an md5sum of ps -auxwww, and 
> then throwing away
> the key. This way the swap cannot be decrypted after reboot.

Stay with your laptop example. 

1) You switch the laptop completely off (no suspend to disk!). Then 
there may remain sensitive data on the swap partition.
Solution: Just overwrite the swap partition with zeroes on shutdown:
	swapoff, then dd in=/dev/null out=/dev/hda<whatever> ...
You could even go more sophisticated by changing sys_swapoff() in such a
way that when unregistering a swap partition, the kernel goes through the
swap partition's swap_map[] and just overwrites the swap pages that were
actually in use. Then, the swapoff would clean the swap partition 
automatically.
2) You go to a suspend state. Then you also should erase the swap
partition, but now before going to suspend. This may be more complicated
than in the first case. 
2.1) If you use a method like swsusp, i.e. going to suspend
under control of Linux, then you can umount and clean the swap prior to
switching to suspend. 
2.2) If you use the Laptop-BIOS to go to suspend, then you
have a problem because (as far as I know) there are no hooks to register
some routine doing the swap cleaning.

I don't like very much the idea of an encrypted swap because of the large 
performance penalty you're going to suffer.

Regards,
Thomas.

Kernel-audit:  discussion list for security and the linux kernel
Archive:       http://mail.nl.linux.org/kernel-audit/

Follow-Ups:
- RE: encrypting swap
  - From: Anders M Montonen <ammonton@cc.helsinki.fi>
- Re: encrypting swap
  - From: Tom Vogt <tom@lemuria.org>
- RE: encrypting swap
  - From: Alexander Schreiber <Alexander.Schreiber@Informatik.TU-Chemnitz.DE>

Prev by Date: Re: encrypting swap (was Re: TEST)
Next by Date: RE: encrypting swap
Prev by thread: RE: encrypting swap conversation
Next by thread: RE: encrypting swap
Index(es):
- Date
- Thread