Protecting sensitive data [was Re: Cleanup for cryptographic algorithms vs. compiler optimizations]

Peter Jeremy peterjeremy at
Mon Jun 14 00:54:58 UTC 2010

On 2010-Jun-13 10:07:15 +0200, Dag-Erling Smørgrav <des at> wrote:
>You always overwrite passphrases, keys etc. as soon as you're done with
>them so they don't end up in a crash dump or on a swap disk or

Which brings up an associated issue: By default, mlock(2) can only be
used by root processes.  It would be really handy if non-privileged
processes could lock small amounts of VM so they can securely handle
passwords, passphrases, keys, etc.  MAC offers the option of allowing
non-root processes access to mlock() but doesn't provide any
restrictions on the amount of memory they can lock.

Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url :

More information about the freebsd-current mailing list