Re: [swsusp] encrypt suspend data for easy wiping
From: Pavel Machek
Date: Tue Jul 26 2005 - 17:27:00 EST
> > > the attached patches are acked by Pavel and signed off by me
> > OK, well I queued this up, without a changelog. Because you didn't send
> > one. Please do so. As it adds a new feature, quite a bit of info is
> > relevant.
> I don't like this patch. It reinvents a fair amount of dm_crypt and
> cryptoloop but badly.
> Further, the model of security it's using is silly. In case anyone
> hasn't noticed, it stores the password on disk in the clear. This is
> so it can erase it after resume and thereby make recovery of the
> suspend image hard.
> But laptops get stolen while they're suspended, not while they're up
> and running. And if your box is up and running and an attacker gains
> access, the contents of your suspend partition are the least of your
> worries. It makes no sense to expend any effort defending against this
> case, especially as it's liable to become a barrier to doing this
> right, namely with real dm_crypt encrypted swap.
I do not see why it should be liability. Even if you "properly"
encrypt the swap, you'll want to wipe old data after resume.
If you take the random key (currently used), and encrypt with public
key; then ask for private key on reboot; it should do the trick.
teflon -- maybe it is a trademark, but it should not be.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/