"sanitizing" disks: wiping swap, non-allocated space, and file-tails

David Kreil kreil at ebi.ac.uk
Fri Jul 16 19:04:42 PDT 2004


Dear Allan,

Thank you very much for your helpful comments!

> > [Brooks Davis]
> > If you swap, your performance will be suck enough that encrypting it
> > won't hurt much, especially with modern CPUs.  I wouldn't worry at all
> > about that cost.  /tmp is probably similar for most applications.
> 
> Agreed, the simplest approach for base-level storage security is
> to encrypt it all.  Hardware is cheap and fast enough.

I still somewhat worry about the factor four in performance lost that is 
mentioned in the gdbe paper. This is no problem for a set of sensitive private 
files but at the system level it does cause me worry. As you seem to be so 
confident about this, however, (or have I misunderstood you?) I'll be happy to 
give it a go.

> Trying to sweep-up afterward is more difficult, any way you look at it.

Yes, I completely agree.

> Another thing to note is /var can contain sensitive data, the locate
> database and mail/print spools to name a few are potential
> areas of significance.  Some also consider logs sensitive.

Thanks for pointing this out. The Handbook describes a basic gdbe setup but 
mentions that getting other volumes (like /home) onto a gdbe partition was 
trickier. Can you tell me which volumes you have successfully put onto a gdbe 
partition and what was required to get this working?
I wonder, in particular, what issues I have to expect in wanting to keep 
system relevant directories like /var on a gdbe partition.

With many thanks again for your help

and best regards,

David.

------------------------------------------------------------------------
Dr David Philip Kreil                 ("`-''-/").___..--''"`-._
Research Fellow                        `6_ 6  )   `-.  (     ).`-.__.`)
University of Cambridge                (_Y_.)'  ._   )  `._ `. ``-..-'
++44 1223 764107, fax 333992         _..`--'_..-_/  /--'_.' ,'
www.inference.phy.cam.ac.uk/dpk20   (il),-''  (li),'  ((!.-'




More information about the freebsd-fs mailing list