Re: [swsusp] encrypt suspend data for easy wiping
From: Grzegorz Kulewski
Date: Wed Jul 06 2005 - 12:19:41 EST
On Wed, 6 Jul 2005, Pavel Machek wrote:
Hi!
To prevent data gathering from swap after resume you can encrypt the
suspend image with a temporary key that is deleted on resume. Note
that the temporary key is stored unencrypted on disk while the system
is suspended... still it means that saved data are wiped from disk
during resume by simply overwritting the key.
hm, how useful is that? swap can still contain sensitive userspace
stuff.
At least userspace has chance to mark *really* sensitive stuff as
unswappable. Unfortunately that does not work against swsusp :-(.
[BTW... I was thinking about just generating random key on swapon, and
using it, so that data in swap is garbage after reboot; no userspace
changes needed. What do you think?]
I (and many others) are doing it already in userspace. Don't you know
about dm-crypt? I think the idea is described in its docs or wiki...
I also think that doing this in swapon is risky. Because nobody will
guarantee you that random seed was restored before swapon and basing this
random key only on boot time and (rather deterministic) irqs at boot
is risky IMHO.
In userspace, init scripts should make sure that random seed is restored
before using /dev/random for anything.
Grzegorz Kulewski
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/