Does encfs ensure that passphrases and key material are in memory only as long as absolutely neccessary? There are calls to mlock in code, is it safe to assume that passphrases and keys do not get swapped to the disk?
In particular, the following would be good to have: - When encfs exits or unmounts a filesystem, keys to it should be explicitly erased from memory. - Passphrase should not be kept in memory, IIRC only the derived key is needed. - Don't use swap at all for keys or decryped data, at least in paranoid mode. - A command to shut down encfs that blocks until encfs is gone. fusermount -u?? - A command to unmount a filesystem without exiting, for use with --ondemand. Use case: I use encfs as a keyring on my laptop. Every time the screen is locked encfs is killed and every time I unlock it, the entered password is piped to encfs to automatically remount the keyring. The screen is automatically locked when the machine is suspended. A similar setup could significantly reduce the chance that whoever steals the laptop getting access to the private files, without any impact on useability. To get the key, one would have to get their hands on the laptop while it's unlocked. If, however, the password was not cleared from RAM at lock/suspend, it would be next to useless. There is a related paper (Cold Boot Attacks on Disk Encryption) at https://citp.princeton.edu/research/memory/ and my current config is available at https://github.com/andres-erbsen/cogs/commit/1602b16 together with the modified slock screen locker used to call encfs on unlock (in respective repo). ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Encfs-users mailing list Encfs-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/encfs-users
