[Pkg-cryptsetup-devel] uswsusp and cryptoswap
Helmut Grohne
helmut at subdivi.de
Wed Jun 13 21:32:13 UTC 2007
Hi,
I tried to use luks to encrypt swapspace for uswsusp, because this will
also encrypt normal swapping activity and not only hibernation. After
reading and experimenting with cryptsetup's initramfs hooks I found some
things:
The initramfs tries to limit the rate at which passwords can be entered
by invoking sleep 3 on failures. I generally appreciate this behaviour,
but in this case it would be cool if there was an easy way to disable
this feature (easy means not editing files under /usr).
In contrast to this high security the initramfs proposes normal booting
after several password failures. I don't see any advantage in this
behaviour. Assuming the user doesn't use cryptoroot this leads to an
easier way to get a running system as an attacker. If one really does
not want to resume there is an easier way than pressing enter all the
time: append noresume to kernel command line. This also has the
advantage, that a boot loader can be configured not to accept these
modifications without a password. I therefore suggest asking for
passwords until it is valid or a configurable behaviour.
Otherwise uswsusp seems to work great with cryptsetup and luks (i.e.
roughly out of the box with some googling, documentation would be
great). (Actually I only tried in qemu yet. ;-)
Please cc me on replies as I'm not on the list.
Greetings
Helmut
More information about the Pkg-cryptsetup-devel
mailing list