On Fri, 19 Jan 2007, Bill Stewart wrote: > Obviously if you're trying to protect against KGB-skilled attacks > on stolen/confiscated hardware, you'd like to have the swap partition > encrypted as well as any user data partitions, though you may not care > whether your read-only utility software was protected > (e.g. your Knoppix disk or vanilla shared /usr/ or whatever.) [[...]] > > On the other hand, if you're trying to protect against > lower-skilled attackers, e.g. laptop thieves who are reselling > disks to the Nigerians and other hardware on eBay, > you want to protect your file systems, > but probably don't need to protect your swap. > It's certainly nice to do that, of course, and might be a Good Thing > for Linux and ***BSD to include in their standard swap drivers,
OpenBSD has had swap-space encryption for some years, and recent versions turn it on in the default install. I don't know what the other BSDs or various Linuxen do by default. OpenBSD's swap encryption uses Rajndael/AES implemented in software. The performance hit is small on modern hardware, and still acceptable even on slow hardware (I haven't seen any problems on an old 486/33 laptop I'm using as a home firewall/router). For laptops (where physical theft is major concern), I think the combination of an encrypting file system and swap encryption gives a pretty good -- and readily configurable -- security/performance tradeoff. ciao, -- -- "Jonathan Thornburg -- remove -animal to reply" <[EMAIL PROTECTED]> Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut), Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html "Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral." -- quote by Freire / poster by Oxfam --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
