From mboxrd@z Thu Jan  1 00:00:00 1970
From: Chris Marusich <cmmarusich@gmail.com>
Subject: Re: Encrypted root partition
Date: Wed, 18 Jan 2017 20:21:19 -0800
Message-ID: <8737gfwugw.fsf@gmail.com>
References: <87vavd3k1t.fsf@gnu.org> <87a8cp4bqk.fsf@gmail.com>
	<877f7swllv.fsf@gnu.org> <87pojkitaf.fsf@gmail.com>
	<87eg00k372.fsf@gmail.com> <87d1fjd749.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha256; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:48991)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <cmmarusich@gmail.com>) id 1cU4E3-0002QA-Fg
	for guix-devel@gnu.org; Wed, 18 Jan 2017 23:21:28 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <cmmarusich@gmail.com>) id 1cU4Dy-0003fh-Rm
	for guix-devel@gnu.org; Wed, 18 Jan 2017 23:21:27 -0500
In-Reply-To: <87d1fjd749.fsf@gnu.org> (Mike Gerwitz's message of "Wed, 18 Jan
	2017 23:08:22 -0500")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Mike Gerwitz <mtg@gnu.org>
Cc: guix-devel@gnu.org

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Mike Gerwitz <mtg@gnu.org> writes:

> On Wed, Jan 18, 2017 at 03:38:57 -0800, Chris Marusich wrote:
>> As a bonus, I realized that one could use this feature to encrypt swap,
>> also.  You can encrypt your swap area by using a swap file in the root
>> file system.  Specifically, if you do something like this...
>
> Using an ephemeral key for swap (that is: a temporary key that is
> randomly generated and never stored) is preferred: when you unmount it,
> the data won't be recoverable.
>
> Mounting a normal swapfile, on the other hand, writes swapped memory to
> disk, which opens a host of potential security and forensic issues.
>
> Of course, so does traditional swap. :)
>
> I'm not familiar enough with Guix (yet!) to know how to set it up, but I
> also haven't done any research.  Arch has a good summary:
>
>   https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption

Interesting!  Thank you for the additional information.

=2D-=20
Chris

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAliAPr8ACgkQ3UCaFdgi
Rp32YQ//XeaYrjDR8xgp8mB6UoimG9lG1MMC6tM33C7c7CaLfhlCA50lBmycHZUO
i+1zzmN/0Cq2LgPusHVW/Vntue1xWg6VK1CDm0+OlDz8RK6upHWUp7irS8ZpLOvH
bIT4k6y+TF3kuCE4Lbj46LNgdHk/lxw5q5epZJkqdc8y0A/qxyiVpGEChDyjf/Ad
rd+9vybLNoh7lr4Dw8mQgFcxUAZ1TLwp67ALcqBUoINZqKaj3EjEIws2XC9x7LXC
KQh8GkSJY3R33FeDapPmPW13kP/ZVSrVCnYXjIzx+ADe0lD/rTEddVFDq4y14ALr
IW+uFy6y1vLZiylSeR1xtXWmAM2OiKTNQJy+Va/5xzJzRCxNnk2htTpcatNbYYJN
W8/RzKgB3O5R16r/I/W13jb3TFPxs3iv01kaIrABEMeNljp6oybRaoZIGe1JCIwI
rlwVJvQ/o96gL52n8iCHNBGd7rQ/dLGddD48YvQnOxUMQbjil7xUU06gp56zLRBl
oFRZZXdvsQscktMq6wuHtB8Eh3xhYPDxcJW1stNKplLZ4x/RgDyJ1OENO8Z8OQHs
jOIeK66Wn2D6G5YDwEVEMxeCXpCoUQ97/xh+aU8TOyRUeyDvH/q98+QgVvnYUdd+
X4/i2/WiSEKg5X1lQtyMunFjpkebcpPSEOfimqU/iMo1pLDQxNc=
=v4Rr
-----END PGP SIGNATURE-----
--=-=-=--