[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: 2012
- From: Patrick Donnelly <batrick@...>
- Date: Tue, 3 Jan 2012 11:08:06 -0500
On Mon, Jan 2, 2012 at 9:38 PM, HyperHacker <hyperhacker@gmail.com> wrote:
> Well if you don't encrypt swap, the encryption isn't terribly useful
> as you now have an unencrypted copy of potentially anything in RAM
> stored on the disk... trick is to have enough RAM that you rarely use
> swap.
Some pages can be locked [1] so that they are never swapped to disk.
Modern programs which accept user passwords will map and lock an
anonymous page so the password is only ever in RAM. This is guaranteed
in Linux (except in the case of suspending/hibernating the machine). I
don't think it is generally true based on the specification.
There is no guarantee that everything in RAM will not be mirrored in
swap. In fact, traditionally, RAM is simply a cache for the swap
backing store so you should assume that anything in RAM is mirrored on
disk.
> Personally I approach such things with a "why not?" attitude - for
> virtually no effort I gain significant security. (I don't notice any
> drop in speed, and though I have to enter one more password to unlock
> the disk, I can also safely disable the local login prompt beyond
> that, so the change is neutralized.)
RAM is cheap nowadays. Omitting a swap partition is not unusual.
[1] http://pubs.opengroup.org/onlinepubs/7908799/xsh/mlock.html
--
- Patrick Donnelly
