On Sat, Sep 08, 2012 at 04:37:18PM +0200, Heinz Diehl wrote: > On 08.09.2012, Arno Wagner wrote: > > > Swap can be encrypted with a one-time passphrase. This is more > > secure as a constant passphrase. It can also be done > > non-interactively. The (slight) security decrease when encrypting > > swap with a static passphrase is that in the future you may still > > find stuff in there if the passphrase gets compromised. > > When the passphrase gets compromised it'll be of no relevance what > somebody will find inside the unencrypted swap. All swap content > is derived from data of the system itself, which then also will be > compromised. At least if a global passphrase is used. > > If every partition on a system has its own and unique passphrase, nobody > would attack swapspace in the first place. There's more to get > attacking the users /home or the root-partition. So? You miss the point: If swap can be securely encrypted independently, this decreases overall system complexity and hence increase security. For example, swap encryption done this way will not be subject to any problems with weak passwords. And yes, it is possible that there are things in swap that cannot be found in the data partitions. Swap encryption solves a different problem than data partition encryption. That other encryption could be insecure on the system is immaterial, swap can (and should) be solved on its own. And, as I have pointed out, there are reasons to want swap encryption even when noting else on the system is encrypted, so the independent approach needs to be engineered anyways. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
