Using encrypted disks
Bruno Wolff III
bruno at wolff.to
Thu Apr 10 06:12:22 UTC 2008
On Wed, Apr 09, 2008 at 18:39:42 +0100,
Anne Wilson <cannewilson at googlemail.com> wrote:
> On Wednesday 09 April 2008 17:33:14 Bruno Wolff III wrote:
> > On Wed, Apr 09, 2008 at 12:54:07 +0100,
> >
> > Anne Wilson <cannewilson at googlemail.com> wrote:
> > > That makes sense. However, at the time I wrote my mind was on my
> > > single-filesystem installation. It just doesn't feel sensible to have to
> > > give the password twice in this case.
> >
> > It is probably easier to securely delete the password if it can be done
> > right away rather than saving it to potentially be used in other mounts
> > (particularly for filesystems mounted by udev).
>
> Sorry, Bruno. I don't understand what you are saying. Could you explain a
> bit more, please?
There are ways that keys saved in memory can be leaked (swap, firewire,
starting a new OS without clearing memory). If you are just using the
key immediately and then writing over the area of memory that it was stored
in you can reduce the likeliness of it leaking. Though for disk encryption
this probably isn't that important (except protecting swap) as you are
only protecting the passphrases. The actual keys needed to decrypt the disks
need to be kept in memory.
More information about the fedora-test-list
mailing list