Date: Tue, 26 Feb 2008 13:17:51 +0100 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Atom Smasher <atom@smasher.org> Cc: hackers@freebsd.org Subject: Re: Security Flaw in Popular Disk Encryption Technologies Message-ID: <20080226121750.GF77530@garage.freebsd.pl> In-Reply-To: <20080223010856.7244.qmail@smasher.org> References: <20080223010856.7244.qmail@smasher.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--IU5/I01NYhRvwH70 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Feb 23, 2008 at 02:08:54PM +1300, Atom Smasher wrote: > article below. does anyone know how this affects eli/geli? >=20 > from the geli man page: "detach - Detach the given providers, which means= =20 > remove the devfs entry and clear the keys from memory." does that mean=20 > that geli properly wipes keys from RAM when a laptop is turned off? Yes, geli tries to clear sensitive informations on detach (mostly keys). I use a script to suspend my laptop, which detach my encrypted partition before suspend. In perforce I've suspend/resume geli(8) subcommands that helps a bit here - on 'geli suspend' command the keys are cleared and all I/O requests are suspended until 'geli resume' provides proper keys. This way one doesn't have to unmount file systems to allow 'geli detach' to succeed. Of course even if keys are cleared there could still be important data in RAM (eg. file system's buffer cache). --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --IU5/I01NYhRvwH70 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHxANuForvXbEpPzQRAr6QAKDARJFmdtLKJSxWtsHELETlLlFHnACeJXLz UnN+N9kFqqQhUKvmcMgUSKU= =U6kc -----END PGP SIGNATURE----- --IU5/I01NYhRvwH70--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080226121750.GF77530>