On Sunday 22 October 2006 06:16, Richard Freeman wrote: > I'd just make SWAPDEVICE and LOOPDEV command-line parameters and then > call the script 4 times. or drop a for loop into it...
I don't know much about raid, but if it's treated in /dev as a single device, you may just be able to replace it and go. May be overly paranoid, but writing encrypted data multiple times could help someone to guess what certain file is and make an attack on the encryption easier. I use ext2 for my encrypted loops so there's no journal as well. Although the power fails sometimes, and can be a pain to fsck, i haven't lost anything yet. > > > swap again, wipe the partitions, and simply leave swap off. Only if they > > ever get suspend to disk working semi-reliably... > > Not sure encrypted swap will play well with suspend to disk. Somehow > when the system wakes up it needs to find out what the encryption key > actually was, otherwise the loop device can't be reactivated. Last time i tried S2D, albeit a couple of years now, the loops all had to be re-mounted after wake(and of course fsck'd) > Now, it > is possible that the kernel will just write the key to disk somewhere, > but this defeats much of the security of an encrypted swap device (where > after a reboot the swap space is impossible to read without a brute > force attack on AES-CBC). I think key retention support in kernel may accomplish this > If the key isn't written to disk the kernel > will boot and look around and not see any valid swap partitions on the > disk at all. Also, it seems AES-CBC is the standard for swap.. at least per the loop-aes package that contained this script. Does anyone of a good benchmark list? I found this but didn't see aes on it http://www.eskimo.com/~weidai/benchmarks.html -Jason -- gpg public key: http://lazybird.hyperintelligent.net/~jbooth/jbooth_key.asc -- gentoo-amd64@gentoo.org mailing list
