Subject: Re: questions about netbsd
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: David Maxwell <firstname.lastname@example.org>
Date: 02/10/2003 00:01:15
On Sun, Feb 09, 2003 at 09:07:14PM -0500, der Mouse wrote:
> >> What attack scenario are you concerned about, such that you want
> >> that feature?
> > What's the use of an encrypted filesystem if you have no encrypted
> > swap ?
What's the use of having passwords if someone can shoot you and take the
As der Mouse said, there are lots of different factors at work here.
As for solutions - well, that depends on your attack scenario - which is
why I asked.
In some cases, configuring no swap space might be an answer.
A smart application might use mlock(2) for sensitive data pages.
swap on cgd, either through a file or (suggested elsewhere in this
thread) directly? (I haven't tried cgd yet.)
At shutdown time, use swapctl -d to delete the swap partition, and
overwrite the partition with your favorite seqeunce of 'secure'
scrubbing checkerboards, etc. (Leaves you with a different attack
requirement than encrypted swap - but for 'my' attackers, I'll bet
reading overwritten disk blocks is harder than cracking a symmetric
> ...huh? It makes it harder for a putative attacker to get at your
> Getting data off an unencrypted filesystem borders on trivial.
> Getting data off an unencrypted swap area is not nearly as trivial.
> First, the data may not even be there; most machines have enough
> filesystem space that it couldn't all fit into swap even if it tried,
> which means that at least some, usually most, of the filesystem data
> simply isn't there in swap. If it is there, finding it can be
> difficult; telling whether it's the current version can verge on
> impossible. It is most certainly harder than getting it off an
> unencrypted filesystem.
> Security is a matter of degree. It's harder to get data off a machine
> with encrypted filesystem and unencrypted swap than a similar machine
> with both unencrypted. (Both encrypted, of course, is harder yet. But
> just because the middle one is weaker than the third doesn't make it no
> better than the first.)
> Of course, running with encrypted filesystem and unencrypted swap and
> thinking you're as secure as the encryption on your filesystem is
> dangerously close to deluding yourself. But that doesn't make
> encrypted filesystems useless in the presence of unencrypted swap; it
> just means that you have to know your system and its exposures to make
> intelligent decisions about what it's safe to entrust to that system.
> /~\ The ASCII der Mouse
> \ / Ribbon Campaign
> X Against HTML email@example.com
> / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
David Maxwell, firstname.lastname@example.orgemail@example.com --> Although some of you out
there might find a microwave oven controlled by a Unix system an attractive
idea, controlling a microwave oven is easily accomplished with the smallest
of microcontrollers. - Russ Hersch - (Microcontroller primer and FAQ)