From owner-freebsd-questions  Mon Aug 27 18:59:28 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mail8.nc.rr.com (fe8.southeast.rr.com [24.93.67.55])
	by hub.freebsd.org (Postfix) with ESMTP id 1B81137B409
	for <freebsd-questions@freebsd.org>; Mon, 27 Aug 2001 18:59:25 -0700 (PDT)
	(envelope-from bts@babbleon.org)
Received: from i8k.babbleon.org ([66.57.85.154]) by mail8.nc.rr.com  with Microsoft SMTPSVC(5.5.1877.687.68);
	 Mon, 27 Aug 2001 21:59:23 -0400
Content-Type: text/plain;
  charset="iso-8859-1"
From: Brian T.Schellenberger <bts@babbleon.org>
To: Damage <damage_z@yahoo.com>, freebsd-questions@FreeBSD.ORG
Subject: Re: encrypted swap
Date: Mon, 27 Aug 2001 21:59:14 -0400
X-Mailer: KMail [version 1.2]
References: <20010827090337.21931.qmail@web10406.mail.yahoo.com>
In-Reply-To: <20010827090337.21931.qmail@web10406.mail.yahoo.com>
MIME-Version: 1.0
Message-Id: <01082721591401.26623@i8k.babbleon.org>
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Monday 27 August 2001 05:03, Damage wrote:
> Hello,
>
> Can someone point me to helpful reference on building encrypted swap under
> FBSD 4.x?  I've doing a little reading up on 'cfs' and searched through
> TrustedBSD to no avail.

I use cfs, and it's pretty cool, but swap space doesn't use a file system in 
the usual sense, so you couldn't use it for that, I don't think.

But I wonder why you want to encrypt swap, anyway; it would be dreadfully 
slow.

I have two suggestions for making sure that your security isn't broken via 
swap vulerabilities:


First, memory is cheap these days.  Buy enough memory to truly meet your 
needs and then simply disable swap altogether.  No memory is persisted, no 
worries.

Second, if you don't like that . . .

Remember, anybody who can read swap on the live machine must have root 
access, in which case they can read /dev/kmem, in which case, encrypting swap 
won't protect you.

So hopefully you are more worried about somebody getting information from the 
machine after it's shut down.

Why not just add some code to the shutdown sequence, after the swap is turned 
off, to re-write the swap space with zeros or something?



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message