On 15/09/06, John Lockman <[EMAIL PROTECTED]> wrote:
On 9/15/06, Stef Bon <[EMAIL PROTECTED]> wrote:
> Carlos Martín wrote:
>
> > On 15/09/06, John Lockman <[EMAIL PROTECTED]> wrote:
> >>
> >> However, this does make it extremely good for storing sensitive data
> >> before encryption.
> >>
> >
> > Not really. tmpfs may be pushed to swap space, where it could be
> > recovered if the attacker has enough interest. Try running gnupg
> > withoug suid root. It will warn you that it won't be able to lock the
> > memory to RAM, and therefore may be recoverable. This is the same
> > thing.
> Ok, I see.
> But do you now an other sollution for storing important data which only have
> to be there for one session in an temporary filesystem
> ( = not on harddisk) ?
>
> Stef Bon
>
The easiest way is to zero your swap space on boot and power off,
there are many different ways to do this, google around. I'm not 100%
This takes a long time. It is the simplest totally secure solution, however.
sure, but I think you can do a kernel ram disk that resides only in
the ram.
It's definitely possible, since (normal) kernel memory isn't allowed
to touch swap.
In userspace you can pin the memory to RAM through mlock(2) (having
permission do to so, which usually means being root).
Another solution is to use an encrypted filesystem which you use for
file you'll only need for a short time. This doesn't take as long as
zeroing out (or filling with garbage) the swap partition.
The main problem with these two approaches is that whilst you are
editing your file, the memory that contains that file (the editor
needs to have the file in memory) may be pushed to swap. I think there
is the possibility of an encrypted swap which would solve all of our
problems.
You could have the memory in the editor pinned to memory, but I think
that would require changing some shared libraries just for that one
editor, so it's not worth the hassle. Then again, it depends on how
secret your files are and/or how paranoid you are.
cmn
--
Carlos Martín Nieto http://www.cmartin.tk
"¿Cómo voy a decir bobadas si soy mudo?" -- CACHAI
--
http://linuxfromscratch.org/mailman/listinfo/lfs-chat
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
