Subject: Re: encrypted swap?
To: Steven M. Bellovin <email@example.com>
From: Angelos D. Keromytis <firstname.lastname@example.org>
Date: 06/04/2001 21:06:07
In message <20010605004833.978B07B84@berkshire.research.att.com>, "Steven M. Be
>If you really want encrypted swap, and you want it with little effort,
>use CFS and swap to a file. I ported CFS to NetBSD; you can find it
>at your choice of
There are three problems with this:
a) performance (although I suspect this won't be *that* bad)
b) usability: you'd have to have someone actually login and type a
passphrase before you can start swapping -- not always an option;
you could cmkdir and cattach with random keys at boot time of
course, but that goes back to your earlier point of having enough
entropy when you boot
c) deadlock: if the system ever needs to page out cfsd....
An easier/quicker hack is adding encryption to vnd's (Niels also did
that in OpenBSD, I recall the diff was about 200 lines long).
The best solution of course is to have real encrypting block devices,
but I think the discussion was about quick hacks.