> Imagine you have:
> - a Linux laptop with a small amount of RAM
> - Email and important documents encrypted on disk, either
> with GPG / PGP or with an encrypted /home partition.
> - Documents and email are decrypted, viewed, and edited by
> applications, not all of which are SUID root, so
> unencrypted data might be swapped out.
>
> Now that laptop is stolen at an airport. The thief decides
> to try to improve his take by grabbing useful information
> from documents. The encrypted documents are untouchable,
> of course. It _doesn't matter_ that the thief has the
> hardware, the decryption key is protected by a passphrase
> which is _nowhere_ on the hard drive.
As someone just pointed out, if the laptop's suspended, the password for
encrypted swap pretty much has to be in ram, unless you're going to add
hooks in resume such that before anything even starts running again
(possible?) it prompts for the decryption password. Otherwise, you can't
block swap access, and if the data's encrypted, seems like that will crash
the machine.
With encryption boards, what's to stop either hackers with root or people
with physical access from simply dumping everything sent across the bus to
the encryption card, unless your whole [embedded] computer is tamper-
resistant, the kernel doesn't accept loadable modules, and has been proven
secure. The only thing that doesn't have to be attack-resistant is the
hd, since it only ever sees encrypted data.
And of course, "tamper-resistant", not "tamper-proof". I wouldn't bet
very much money against the NSA being able to get at least some data out
of the ibm card.
justin
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/