Re: [swsusp] encrypt suspend data for easy wiping
From: Pavel Machek
Date: Tue Jul 26 2005 - 17:18:12 EST
> > > the attached patches are acked by Pavel and signed off by me
> > OK, well I queued this up, without a changelog. Because you didn't send
> > one. Please do so. As it adds a new feature, quite a bit of info is
> > relevant.
> I don't like this patch. It reinvents a fair amount of dm_crypt and
> cryptoloop but badly.
> Further, the model of security it's using is silly. In case anyone
> hasn't noticed, it stores the password on disk in the clear. This is
> so it can erase it after resume and thereby make recovery of the
> suspend image hard.
> But laptops get stolen while they're suspended, not while they're up
> and running. And if your box is up and running and an attacker gains
> access, the contents of your suspend partition are the least of your
> worries. It makes no sense to expend any effort defending against this
> case, especially as it's liable to become a barrier to doing this
> right, namely with real dm_crypt encrypted swap.
Well, "how long are my keys going to stay in swap after
swsusp"... that's pretty scary.
To prevent "stolen while suspended" case... you'd either need to enter
password both during suspend and during resume, or you'd need
asymetric crypto... Rather heavy.
> At the very least, this should be renamed SWSUSP_QUICK_WIPE and any
> mention of encryption should be taken out of the description so users
> don't mistakenly think it provides any sort of useful protection.
SWSUSP_WIPE seems like a better name, right.
teflon -- maybe it is a trademark, but it should not be.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/