In some email I received from Niels Provos, sie wrote:
> >What is the point?  What is the threat model that supports such 
> >behavior?  More precisely, why do you want to encrypt your swap 
> >partition?  (Caution:  the rest of this response probably belongs in 
> >tech-crypto instead.)
> As I said in my earlier email, it all depends on what kind of
> adversary you want to protect against.  In the paper, I have tried to
> discuss the various issues.  One of the them is that a user expects
> that sensitive data vanishes with process termination.
> 
> The swap encryption that I descripe in the paper compromises by
> leaving a time frame as window of vulnerability.
> 
> A suspended laptop when stolen has all valid keys in memory.  A system
> that uses a single key including CFS does not protect against this
> threat.
> 
> Once more, to say it thrice, it all depends on your threat model.

Hmmm, could you have per-process keys used for writing encrypted data
to swap space ?  Of course that doesn't solve the "struct proc" question
but it does take it another step towards "process dies, no useful remnants".

Darren