Please Consider Increasing SECMEM_BUFFER_SIZE To 1048576

Peter Lebbing peter at digitalbrains.com
Thu Oct 19 18:08:52 CEST 2017


On 13/10/17 19:42, Daniel Kahn Gillmor wrote:
> Also, any sensible use of swap today on any machine that has sensitive
> data should be done with an ephemerally-encrypted swap device.  In
> particular, on GNU/Linux systems with cryptsetup, that means something
> like:

What about a laptop that needs to hibernate? I use full disk encryption, but my
swap is just part of the same encrypted LVM physical volume, encrypted with the
same non-ephemeral key as the rest of the disk. It would be nice to refresh the
key for swap quite often, but this seems non-trivial.

Peter.

PS: In earlier Debian releases, I also found out that if I used an ephemeral key
for both swap and /tmp, my system would run out of entropy during boot. I don't
know if this is still an issue. The way I solved it back then would not have
worked with systemd, since they decided to not support the "keyscript" option.
This seems like quite a big omission in systemd to me.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20171019/92a825f8/attachment.sig>


More information about the Gnupg-devel mailing list