This is indeed the target of choice for a disk-encrypting software.
But you need to encipher three zones:
-- the swap space, as you stated
-- the whole filesystem itself, because you do not know if your favorite
word-processor won't create temporary files (well, maybe you can
limit yourself to /home and /tmp)
-- the zone that the machine uses for the "suspend to disk" option ;
and I guess that one will be tricky. A potential solution, which covers
also the "suspend to memory" option, is to encipher all data in physical
memory when there is a suspend operation. Only the kernel, including
the code wich asks for the deciphering key, remains clear.
About performance: modern cryptosystem on modern cpus run at about
2 cycles per bit of data.
--Thomas Pornin
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/