Subject: Re: encrypted swap?
To: Niels Provos <provos@citi.umich.edu>
From: Darren Reed <darrenr@reed.wattle.id.au>
List: tech-kern
Date: 06/05/2001 17:54:13
In some email I received from Niels Provos, sie wrote:
> >What is the point? What is the threat model that supports such
> >behavior? More precisely, why do you want to encrypt your swap
> >partition? (Caution: the rest of this response probably belongs in
> >tech-crypto instead.)
> As I said in my earlier email, it all depends on what kind of
> adversary you want to protect against. In the paper, I have tried to
> discuss the various issues. One of the them is that a user expects
> that sensitive data vanishes with process termination.
>
> The swap encryption that I descripe in the paper compromises by
> leaving a time frame as window of vulnerability.
>
> A suspended laptop when stolen has all valid keys in memory. A system
> that uses a single key including CFS does not protect against this
> threat.
>
> Once more, to say it thrice, it all depends on your threat model.
Hmmm, could you have per-process keys used for writing encrypted data
to swap space ? Of course that doesn't solve the "struct proc" question
but it does take it another step towards "process dies, no useful remnants".
Darren