--- On Sun, 9/11/08, markus reichelt wrote: > It's overkill IMHO Quite probably :=) It seemed like a nice script idea. > > I'd replace password with passphrase in relevant places Will do, my bad, thanks for pointing this out. > point out that key scrubbing is only > available for AES, not the other ciphers. I was under the impression (perhaps I'm wrong) from a post of Jari's, where he said that loop-aes always tries to remove passphrases from memory by default on a clean unmount anyway. Enabling "keyscrub" does something else I believe viz. results in moving key bits around in such as way that "burn in" to RAM is not likely. However, "burn in" to RAM has never been proven to be a threat afaik, since no one knows if the technology exists to recover plaintext keys that have been thus burned in. Unlike the proven threat of the cold boot attack, which relies on simple remanence, not burn in. > Regarding journaling filesystems, disabling of harddrive > cache is recommended (I do so via hdparm -W0 /dev/hdX) if no UPS is > used. > Do you have a link (perhaps to the list archive) with more info on this? I only vaguely recall what it was all about. Thanks Marcus for your comments. - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/