Hi Russ, On Mon, Feb 01, 2021 at 09:54:56AM -0800, Russ Allbery wrote:
[keyring managers using mlock] > Does this serve any useful purpose? Absolutely. The vast majority of users has no need for encrypted swap, but might reasonably assume that secret keys are not written unencrypted to disk, especially not in a way that is likely to leave them there for weeks. Expecting users to set up encrypted swap is a fairly steep requirement if all they want to do is keep a few kilobytes of secret data actually secret. > I think adding this capability to gnome-keyring-daemon makes the whole > system less secure, not more secure, compared to using encrypted swap, > since managing escalated privileges in a program is far more complicated > and failure-prone. The mlock privilege is largely relevant from a denial-of-service standpoint, so I think we come out ahead by allowing a program we trust with secret keys to theoretically create memory pressure (which still wouldn't spill secret keys to swap). Simon
