Yes, we have no hibernate today

Jon Jensen jon at endpoint.com
Thu Jun 24 12:58:34 MDT 2010


On Thu, 24 Jun 2010, Charles Curley wrote:

>> It sounds like you're using hibernation with an encrypted swap device. 
>> Is that even possible? ;-)  Has it worked before?
>
> I have no idea. Considering the security implications of running without 
> an encrypted swap partition, I hope so.
>
> But for serious security concerns (while going through the Terminally 
> Stupid Agency's line to get fondled, riding in NYC taxis, e.g.), shut 
> the thing down completely. If you have an encrypted swap area or 
> encrypted file system(s), remember that those are mounted during the 
> suspension or hibernation, so if bad guys can get the machine up from 
> suspension or hibernation, they have bypassed your encryption.
>
> With that in mind, maybe I should get rid of the encryption in the swap 
> partition?

I definitely wouldn't. You could end up with various unencrypted stuff in 
there which makes all your other encryption kind of a waste of time.

A couple of good alternatives are:

* Have no swap partition. For a laptop it's often not needed.

* Have your suspension or hibernation scripts run `swapoff -a` and then 
when you resume, create a new random swap partition encryption key from 
scratch and re-enable swap.

A less-good alternative that nevertheless is the one I personally use at 
the moment:

* Don't suspend or hibernate at all. :)

Jon

-- 
Jon Jensen
End Point Corporation
http://www.endpoint.com/


More information about the PLUG mailing list