On Thu, 24 Jun 2010, Charles Curley wrote: >> It sounds like you're using hibernation with an encrypted swap device. >> Is that even possible? ;-) Has it worked before? > > I have no idea. Considering the security implications of running without > an encrypted swap partition, I hope so. > > But for serious security concerns (while going through the Terminally > Stupid Agency's line to get fondled, riding in NYC taxis, e.g.), shut > the thing down completely. If you have an encrypted swap area or > encrypted file system(s), remember that those are mounted during the > suspension or hibernation, so if bad guys can get the machine up from > suspension or hibernation, they have bypassed your encryption. > > With that in mind, maybe I should get rid of the encryption in the swap > partition?
I definitely wouldn't. You could end up with various unencrypted stuff in there which makes all your other encryption kind of a waste of time. A couple of good alternatives are: * Have no swap partition. For a laptop it's often not needed. * Have your suspension or hibernation scripts run `swapoff -a` and then when you resume, create a new random swap partition encryption key from scratch and re-enable swap. A less-good alternative that nevertheless is the one I personally use at the moment: * Don't suspend or hibernate at all. :) Jon -- Jon Jensen End Point Corporation http://www.endpoint.com/ /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
