"sanitizing" disks: wiping swap, non-allocated space, and
file-tails
David Kreil
kreil at ebi.ac.uk
Fri Jul 16 19:04:42 PDT 2004
Dear Allan,
Thank you very much for your helpful comments!
> > [Brooks Davis]
> > If you swap, your performance will be suck enough that encrypting it
> > won't hurt much, especially with modern CPUs. I wouldn't worry at all
> > about that cost. /tmp is probably similar for most applications.
>
> Agreed, the simplest approach for base-level storage security is
> to encrypt it all. Hardware is cheap and fast enough.
I still somewhat worry about the factor four in performance lost that is
mentioned in the gdbe paper. This is no problem for a set of sensitive private
files but at the system level it does cause me worry. As you seem to be so
confident about this, however, (or have I misunderstood you?) I'll be happy to
give it a go.
> Trying to sweep-up afterward is more difficult, any way you look at it.
Yes, I completely agree.
> Another thing to note is /var can contain sensitive data, the locate
> database and mail/print spools to name a few are potential
> areas of significance. Some also consider logs sensitive.
Thanks for pointing this out. The Handbook describes a basic gdbe setup but
mentions that getting other volumes (like /home) onto a gdbe partition was
trickier. Can you tell me which volumes you have successfully put onto a gdbe
partition and what was required to get this working?
I wonder, in particular, what issues I have to expect in wanting to keep
system relevant directories like /var on a gdbe partition.
With many thanks again for your help
and best regards,
David.
------------------------------------------------------------------------
Dr David Philip Kreil ("`-''-/").___..--''"`-._
Research Fellow `6_ 6 ) `-. ( ).`-.__.`)
University of Cambridge (_Y_.)' ._ ) `._ `. ``-..-'
++44 1223 764107, fax 333992 _..`--'_..-_/ /--'_.' ,'
www.inference.phy.cam.ac.uk/dpk20 (il),-'' (li),' ((!.-'
More information about the freebsd-fs
mailing list