It's a Presidential Mandate, Feds use it. How come you are not using FDE?
Jonathan Thornburg
jthorn at aei.mpg.de
Sat Jan 20 08:15:06 EST 2007
On Fri, 19 Jan 2007, Bill Stewart wrote:
> Obviously if you're trying to protect against KGB-skilled attacks
> on stolen/confiscated hardware, you'd like to have the swap partition
> encrypted as well as any user data partitions, though you may not care
> whether your read-only utility software was protected
> (e.g. your Knoppix disk or vanilla shared /usr/ or whatever.)
[[...]]
>
> On the other hand, if you're trying to protect against
> lower-skilled attackers, e.g. laptop thieves who are reselling
> disks to the Nigerians and other hardware on eBay,
> you want to protect your file systems,
> but probably don't need to protect your swap.
> It's certainly nice to do that, of course, and might be a Good Thing
> for Linux and ***BSD to include in their standard swap drivers,
OpenBSD has had swap-space encryption for some years, and recent versions
turn it on in the default install. I don't know what the other BSDs or
various Linuxen do by default.
OpenBSD's swap encryption uses Rajndael/AES implemented in software.
The performance hit is small on modern hardware, and still acceptable
even on slow hardware (I haven't seen any problems on an old 486/33
laptop I'm using as a home firewall/router).
For laptops (where physical theft is major concern), I think the
combination of an encrypting file system and swap encryption gives a
pretty good -- and readily configurable -- security/performance tradeoff.
ciao,
--
-- "Jonathan Thornburg -- remove -animal to reply" <jthorn at aei.mpg-zebra.de>
Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html
"Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
-- quote by Freire / poster by Oxfam
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list