From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chris Marusich Subject: Re: Encrypted root partition Date: Wed, 18 Jan 2017 20:21:19 -0800 Message-ID: <8737gfwugw.fsf@gmail.com> References: <87vavd3k1t.fsf@gnu.org> <87a8cp4bqk.fsf@gmail.com> <877f7swllv.fsf@gnu.org> <87pojkitaf.fsf@gmail.com> <87eg00k372.fsf@gmail.com> <87d1fjd749.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:48991) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cU4E3-0002QA-Fg for guix-devel@gnu.org; Wed, 18 Jan 2017 23:21:28 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cU4Dy-0003fh-Rm for guix-devel@gnu.org; Wed, 18 Jan 2017 23:21:27 -0500 In-Reply-To: <87d1fjd749.fsf@gnu.org> (Mike Gerwitz's message of "Wed, 18 Jan 2017 23:08:22 -0500") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Mike Gerwitz Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Mike Gerwitz writes: > On Wed, Jan 18, 2017 at 03:38:57 -0800, Chris Marusich wrote: >> As a bonus, I realized that one could use this feature to encrypt swap, >> also. You can encrypt your swap area by using a swap file in the root >> file system. Specifically, if you do something like this... > > Using an ephemeral key for swap (that is: a temporary key that is > randomly generated and never stored) is preferred: when you unmount it, > the data won't be recoverable. > > Mounting a normal swapfile, on the other hand, writes swapped memory to > disk, which opens a host of potential security and forensic issues. > > Of course, so does traditional swap. :) > > I'm not familiar enough with Guix (yet!) to know how to set it up, but I > also haven't done any research. Arch has a good summary: > > https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption Interesting! Thank you for the additional information. =2D-=20 Chris --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEy/WXVcvn5+/vGD+x3UCaFdgiRp0FAliAPr8ACgkQ3UCaFdgi Rp32YQ//XeaYrjDR8xgp8mB6UoimG9lG1MMC6tM33C7c7CaLfhlCA50lBmycHZUO i+1zzmN/0Cq2LgPusHVW/Vntue1xWg6VK1CDm0+OlDz8RK6upHWUp7irS8ZpLOvH bIT4k6y+TF3kuCE4Lbj46LNgdHk/lxw5q5epZJkqdc8y0A/qxyiVpGEChDyjf/Ad rd+9vybLNoh7lr4Dw8mQgFcxUAZ1TLwp67ALcqBUoINZqKaj3EjEIws2XC9x7LXC KQh8GkSJY3R33FeDapPmPW13kP/ZVSrVCnYXjIzx+ADe0lD/rTEddVFDq4y14ALr IW+uFy6y1vLZiylSeR1xtXWmAM2OiKTNQJy+Va/5xzJzRCxNnk2htTpcatNbYYJN W8/RzKgB3O5R16r/I/W13jb3TFPxs3iv01kaIrABEMeNljp6oybRaoZIGe1JCIwI rlwVJvQ/o96gL52n8iCHNBGd7rQ/dLGddD48YvQnOxUMQbjil7xUU06gp56zLRBl oFRZZXdvsQscktMq6wuHtB8Eh3xhYPDxcJW1stNKplLZ4x/RgDyJ1OENO8Z8OQHs jOIeK66Wn2D6G5YDwEVEMxeCXpCoUQ97/xh+aU8TOyRUeyDvH/q98+QgVvnYUdd+ X4/i2/WiSEKg5X1lQtyMunFjpkebcpPSEOfimqU/iMo1pLDQxNc= =v4Rr -----END PGP SIGNATURE----- --=-=-=--