It's a Presidential Mandate, Feds use it. How come you are not using FDE?

Jonathan Thornburg jthorn at aei.mpg.de
Sat Jan 20 08:15:06 EST 2007


On Fri, 19 Jan 2007, Bill Stewart wrote:
> Obviously if you're trying to protect against KGB-skilled attacks
> on stolen/confiscated hardware, you'd like to have the swap partition
> encrypted as well as any user data partitions, though you may not care
> whether your read-only utility software was protected
> (e.g. your Knoppix disk or vanilla shared /usr/ or whatever.)
[[...]]
> 
> On the other hand, if you're trying to protect against
> lower-skilled attackers, e.g. laptop thieves who are reselling
> disks to the Nigerians and other hardware on eBay,
> you want to protect your file systems,
> but probably don't need to protect your swap.
> It's certainly nice to do that, of course, and might be a Good Thing
> for Linux and ***BSD to include in their standard swap drivers,

OpenBSD has had swap-space encryption for some years, and recent versions
turn it on in the default install.  I don't know what the other BSDs or
various Linuxen do by default.

OpenBSD's swap encryption uses Rajndael/AES implemented in software.
The performance hit is small on modern hardware, and still acceptable
even on slow hardware (I haven't seen any problems on an old 486/33
laptop I'm using as a home firewall/router).

For laptops (where physical theft is major concern), I think the
combination of an encrypting file system and swap encryption gives a
pretty good -- and readily configurable -- security/performance tradeoff.

ciao,

-- 
-- "Jonathan Thornburg -- remove -animal to reply" <jthorn at aei.mpg-zebra.de>
   Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
   Golm, Germany, "Old Europe"     http://www.aei.mpg.de/~jthorn/home.html      
   "Washing one's hands of the conflict between the powerful and the
    powerless means to side with the powerful, not to be neutral."
                                      -- quote by Freire / poster by Oxfam

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list