On Tue, 22 Aug 2000, Walter Belgers wrote:

> Last week I was at USENIX where Niels Provos talked about his
> implementation of encrypted swap in OpenBSD. What is does is encrypting
> all memory that gets swapped out, keeping the encryption keys in memory. 
> A test showed that all kinds of interesting things wind up in the swap
> partition; Niels himself found several passwords and his PGP passphrase
> on his own laptop.. 
> So, I think having the option to use encrypted swap on FreeBSD would be
> nice. Is anybody already working on this? If not, how do I get somebody
> to work on it?  ;-) 


There has been discussion and substantial interest in an encrypted swap
interface on the freebsd-security mailing list in the last month or so. 
It was concluded that it was best to wait until Poul-Henning Kemp finished
improved infrastructure, allowing the stacking of devices and layers above
devices.  This would allow an abstracted "encrypted device" interface,
supporting everything from encrypted swap (using a randomized key) to
generic protected file systems (one key per partition protecting the file
system).  This would give substantial protection for those of us with
mobile computing devices (generally notebooks) that have a tendancy to
walk off in airports, for example :-).

As an interim solution, I believe we support swap over NFS, so could swap
to a local CFS partition.  We could also look at solutions that cause swap
partitions to be blanked at shutdown, although that's an inferior solution
to true encrypted swap, as one tends to trust strong crypto a little more
than the ability to delete the contents of magnetic disk platters :-).

So the short of it: infrastructure work is under way that should make
encrypted swap an easy addition in the near future.

  Robert N M Watson 

[EMAIL PROTECTED]              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to