On Fri, 19 Jan 2007, Bill Stewart wrote:
> Obviously if you're trying to protect against KGB-skilled attacks
> on stolen/confiscated hardware, you'd like to have the swap partition
> encrypted as well as any user data partitions, though you may not care
> whether your read-only utility software was protected
> (e.g. your Knoppix disk or vanilla shared /usr/ or whatever.)
[[...]]
> 
> On the other hand, if you're trying to protect against
> lower-skilled attackers, e.g. laptop thieves who are reselling
> disks to the Nigerians and other hardware on eBay,
> you want to protect your file systems,
> but probably don't need to protect your swap.
> It's certainly nice to do that, of course, and might be a Good Thing
> for Linux and ***BSD to include in their standard swap drivers,

OpenBSD has had swap-space encryption for some years, and recent versions
turn it on in the default install.  I don't know what the other BSDs or
various Linuxen do by default.

OpenBSD's swap encryption uses Rajndael/AES implemented in software.
The performance hit is small on modern hardware, and still acceptable
even on slow hardware (I haven't seen any problems on an old 486/33
laptop I'm using as a home firewall/router).

For laptops (where physical theft is major concern), I think the
combination of an encrypting file system and swap encryption gives a
pretty good -- and readily configurable -- security/performance tradeoff.

ciao,

-- 
-- "Jonathan Thornburg -- remove -animal to reply" <[EMAIL PROTECTED]>
   Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
   Golm, Germany, "Old Europe"     http://www.aei.mpg.de/~jthorn/home.html      
   "Washing one's hands of the conflict between the powerful and the
    powerless means to side with the powerful, not to be neutral."
                                      -- quote by Freire / poster by Oxfam

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to