Taylor R Campbell wrote: > Log Message: > Implement swap encryption. > > Enabled by sysctl -w vm.swap_encrypt=1.
If secmodel_securelevel(9) is still a thing, locking down this sysctl at high securelevel may improve our security. Prior to this change, swap devices were readable (even if enrypted with cgd). With this sysctl set to 1, all new swap devices will be encrypted, the only thing to worry about is if it's set back to 0 on a compromised host. Not sure if this makes sense because all files on a compromised host can be read and processes' memory can be probably dumped. Alex
