1 |
On Sunday 22 October 2006 06:16, Richard Freeman wrote: |
2 |
> I'd just make SWAPDEVICE and LOOPDEV command-line parameters and then |
3 |
> call the script 4 times. |
4 |
or drop a for loop into it... |
5 |
|
6 |
I don't know much about raid, but if it's treated in /dev as a single device, |
7 |
you may just be able to replace it and go. |
8 |
|
9 |
May be overly paranoid, but writing encrypted data multiple times could help |
10 |
someone to guess what certain file is and make an attack on the encryption |
11 |
easier. I use ext2 for my encrypted loops so there's no journal as well. |
12 |
Although the power fails sometimes, and can be a pain to fsck, i haven't lost |
13 |
anything yet. |
14 |
|
15 |
> |
16 |
> > swap again, wipe the partitions, and simply leave swap off. Only if they |
17 |
> > ever get suspend to disk working semi-reliably... |
18 |
> |
19 |
> Not sure encrypted swap will play well with suspend to disk. Somehow |
20 |
> when the system wakes up it needs to find out what the encryption key |
21 |
> actually was, otherwise the loop device can't be reactivated. |
22 |
Last time i tried S2D, albeit a couple of years now, the loops all had to be |
23 |
re-mounted after wake(and of course fsck'd) |
24 |
> Now, it |
25 |
> is possible that the kernel will just write the key to disk somewhere, |
26 |
> but this defeats much of the security of an encrypted swap device (where |
27 |
> after a reboot the swap space is impossible to read without a brute |
28 |
> force attack on AES-CBC). |
29 |
I think key retention support in kernel may accomplish this |
30 |
> If the key isn't written to disk the kernel |
31 |
> will boot and look around and not see any valid swap partitions on the |
32 |
> disk at all. |
33 |
|
34 |
Also, it seems AES-CBC is the standard for swap.. at least per the loop-aes |
35 |
package that contained this script. Does anyone of a good benchmark list? |
36 |
|
37 |
I found this but didn't see aes on it |
38 |
http://www.eskimo.com/~weidai/benchmarks.html |
39 |
|
40 |
-Jason |
41 |
-- |
42 |
gpg public key: http://lazybird.hyperintelligent.net/~jbooth/jbooth_key.asc |
43 |
|
44 |
-- |
45 |
gentoo-amd64@g.o mailing list |