Yes, we have no hibernate today
Jon Jensen
jon at endpoint.com
Thu Jun 24 12:58:34 MDT 2010
On Thu, 24 Jun 2010, Charles Curley wrote:
>> It sounds like you're using hibernation with an encrypted swap device.
>> Is that even possible? ;-) Has it worked before?
>
> I have no idea. Considering the security implications of running without
> an encrypted swap partition, I hope so.
>
> But for serious security concerns (while going through the Terminally
> Stupid Agency's line to get fondled, riding in NYC taxis, e.g.), shut
> the thing down completely. If you have an encrypted swap area or
> encrypted file system(s), remember that those are mounted during the
> suspension or hibernation, so if bad guys can get the machine up from
> suspension or hibernation, they have bypassed your encryption.
>
> With that in mind, maybe I should get rid of the encryption in the swap
> partition?
I definitely wouldn't. You could end up with various unencrypted stuff in
there which makes all your other encryption kind of a waste of time.
A couple of good alternatives are:
* Have no swap partition. For a laptop it's often not needed.
* Have your suspension or hibernation scripts run `swapoff -a` and then
when you resume, create a new random swap partition encryption key from
scratch and re-enable swap.
A less-good alternative that nevertheless is the one I personally use at
the moment:
* Don't suspend or hibernate at all. :)
Jon
--
Jon Jensen
End Point Corporation
http://www.endpoint.com/
More information about the PLUG
mailing list