Hi, Thanks for your comments.
(Marcus, you meant only this 2015-05 thread right? https://marc.info/?t=143181498300001 ) I think I like to keep dumps enabled also on a production machine. Even if it's incredibly rare, it is possible for a production machine to crash, and the dump could be instructive. (For a production machine with dumps disabled, indeed the default swap crypto is sufficient, and indeed using swap in softraid is cryptographically redundant.) I realize the thread subject is not optimal ("SWAP should always be inside crypto softRAID, right? (For OS crash dump data to be encrypted.)". Here is the updated subject and query: "If I want to have crash dumps enabled, while enjoying the crypto softraid's physical data theft protection for all data, THEN my SWAP partition(s) should be inside the softraid, right?". Thoughts, criticism? Thanks, Tinker On February 9, 2018 6:07 PM, Marcus MERIGHI <mcmer-open...@tor.at> wrote: .. > there's a 2016-11 thread that's related: > "swap on encrypted softraid, performance penalty" > > stsp@ > https://marc.info/?l=openbsd-misc&m=143184355522545 > tedu@ > https://marc.info/?l=openbsd-misc&m=143206067713324 On February 9, 2018 6:55 AM, Tom Smyth <tom.sm...@wirelessconnect.eu> wrote: >Thanks kevin i missed the dump part... agree with disable dump on prod > ..enable on dev On February 9, 2018 6:49 AM, Kevin Chadwick <m8il1i...@gmail.com> wrote: >On Thu, 8 Feb 2018 19:39:39 +0000 >>Afaik swap is encrypted anyway on OpenBSD >> > It is with a random key which is actually more secure than the softraid > key. > > However to the OPS question relating to dumps. > > I believe the answer is that dumps are helpful and OpenBSD is a > developer system primarily but you should disable them with sysctl for > production or if you have concerns. On February 9, 2018 3:39 AM, Tom Smyth <tom.sm...@wirelessconnect.eu> wrote: > Afaik swap is encrypted anyway on OpenBSD On February 9, 2018 3:30 AM, trondd <tro...@kagu-tsuchi.com> wrote: .. > Assuming you are doing full disk encryption otherwise, put swap inside the > softraid disk. The kernel is hardcoded to look on the boot disk to save > dumps. If swap was is on sd0 but you decrypt a partition as sd1 and boot > from that, swap is no longer on the same disk. > > Unless you override with config(8) > > Tim.
