Re: Security Flaw in Popular Disk Encryption Technologies
- From: Pawel Jakub Dawidek <pjd@xxxxxxxxxxx>
- Date: Tue, 26 Feb 2008 13:17:51 +0100
On Sat, Feb 23, 2008 at 02:08:54PM +1300, Atom Smasher wrote:
article below. does anyone know how this affects eli/geli?
from the geli man page: "detach - Detach the given providers, which means
remove the devfs entry and clear the keys from memory." does that mean
that geli properly wipes keys from RAM when a laptop is turned off?
Yes, geli tries to clear sensitive informations on detach (mostly keys).
I use a script to suspend my laptop, which detach my encrypted partition
before suspend. In perforce I've suspend/resume geli(8) subcommands that
helps a bit here - on 'geli suspend' command the keys are cleared and
all I/O requests are suspended until 'geli resume' provides proper keys.
This way one doesn't have to unmount file systems to allow 'geli detach'
to succeed.
Of course even if keys are cleared there could still be important data
in RAM (eg. file system's buffer cache).
--
Pawel Jakub Dawidek http://www.wheel.pl
pjd@xxxxxxxxxxx http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
Attachment:
pgpFciPZUO6cH.pgp
Description: PGP signature
- References:
- Security Flaw in Popular Disk Encryption Technologies
- From: Atom Smasher
- Security Flaw in Popular Disk Encryption Technologies
- Prev by Date: Re: Security Flaw in Popular Disk Encryption Technologies
- Next by Date: Re: Anybody have a patch for pdksh derivatives, for jails?
- Previous by thread: Re: Security Flaw in Popular Disk Encryption Technologies
- Next by thread: Modular type GENERIC?
- Index(es):
Relevant Pages
|
|
