| 1 |
On Sunday 22 October 2006 06:16, Richard Freeman wrote: |
| 2 |
> I'd just make SWAPDEVICE and LOOPDEV command-line parameters and then |
| 3 |
> call the script 4 times. |
| 4 |
or drop a for loop into it... |
| 5 |
|
| 6 |
I don't know much about raid, but if it's treated in /dev as a single device, |
| 7 |
you may just be able to replace it and go. |
| 8 |
|
| 9 |
May be overly paranoid, but writing encrypted data multiple times could help |
| 10 |
someone to guess what certain file is and make an attack on the encryption |
| 11 |
easier. I use ext2 for my encrypted loops so there's no journal as well. |
| 12 |
Although the power fails sometimes, and can be a pain to fsck, i haven't lost |
| 13 |
anything yet. |
| 14 |
|
| 15 |
> |
| 16 |
> > swap again, wipe the partitions, and simply leave swap off. Only if they |
| 17 |
> > ever get suspend to disk working semi-reliably... |
| 18 |
> |
| 19 |
> Not sure encrypted swap will play well with suspend to disk. Somehow |
| 20 |
> when the system wakes up it needs to find out what the encryption key |
| 21 |
> actually was, otherwise the loop device can't be reactivated. |
| 22 |
Last time i tried S2D, albeit a couple of years now, the loops all had to be |
| 23 |
re-mounted after wake(and of course fsck'd) |
| 24 |
> Now, it |
| 25 |
> is possible that the kernel will just write the key to disk somewhere, |
| 26 |
> but this defeats much of the security of an encrypted swap device (where |
| 27 |
> after a reboot the swap space is impossible to read without a brute |
| 28 |
> force attack on AES-CBC). |
| 29 |
I think key retention support in kernel may accomplish this |
| 30 |
> If the key isn't written to disk the kernel |
| 31 |
> will boot and look around and not see any valid swap partitions on the |
| 32 |
> disk at all. |
| 33 |
|
| 34 |
Also, it seems AES-CBC is the standard for swap.. at least per the loop-aes |
| 35 |
package that contained this script. Does anyone of a good benchmark list? |
| 36 |
|
| 37 |
I found this but didn't see aes on it |
| 38 |
http://www.eskimo.com/~weidai/benchmarks.html |
| 39 |
|
| 40 |
-Jason |
| 41 |
-- |
| 42 |
gpg public key: http://lazybird.hyperintelligent.net/~jbooth/jbooth_key.asc |
| 43 |
|
| 44 |
-- |
| 45 |
gentoo-amd64@g.o mailing list |
Archives