Secure text editor?

Peter Lebbing peter at digitalbrains.com
Tue May 15 15:39:46 CEST 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for all the helpful posts.

I think I will go with just using my Linux laptop for it. I can just encrypt
the swap, it's not difficult, I've played with cryptoloop before. I didn't
use it for swap, but it's identical. And while I'm at it, I'll just add a
file-backed cryptoloop for a small encrypted partition, which imho is easier
than using the vim plugin, although I will actually be using vim :). It's my
favourite editor on Linux. In that respect I have an important question: it
is correct that vim only makes a swapfile in the same directory, right? No
cute extra files in /tmp? :)

And yes, it's perfectly possible to run without swap at all under Linux. But
crypting the swap is rather trivial and it can be a useful addition. Since
Linux doesn't use the swap intensively on normal use, the performance
penalty is low. Windows seems to me to have a habit of overusing the swap,
and an en-/decryption on every use might incur quite some performance penalty.

The usual recipe involves choosing a random key on startup which is only
kept in memory, so on shutdown (controlled or forced) the contents of the
swap are just garbage since not even the legitimate owner still has the key.
Swap doesn't need to persist over reboot.

In this respect I have a nice idea, if you're worried about the swap
remaining readible to root later on during uptime (when it becomes hacked).
After all, some boxes stay up for years, so the swap is never wiped on
reboot. It might be a bit paranoid, but the procedure is so easy that I
thought I should mention it. Instead of using 1 swapspace of 512 MiB
(example), you set up two partitions of 512 MiB. You only use one, crypted.
After you've done something you wish to hide, you enable the other crypted
swap, and disable the original crypted swap /after that/. If you assume the
key for the crypted device is lost this way, your original data is
scrambled, and only active pages are transferred to the new swap when you
disable the first swapspace. If you're afraid the kernel might have swapped
the page containing the original key to the new swapspace, you "shred" the
old swapspace, but I think chances are low: a driver that handles crypting
to swap will not swap it's own key out, because how is it going to unswap
it? It needs the key to decrypt the key. The driver is written to keep
everything needed to access the swap in main memory. The only possibility is
that it keeps a second copy of the key, but I think this is unlikely. And
with this procedure, you always have a minimum of 512 MiB swap, unlike when
you just disable and re-enable the swap.

Alessandro Vesely talked about snooping in the memory space of the process.
Yes, if your computer is compromised, all activity at that moment is also
compromised. The thing with swapspace though, is that the plaintext remains
on disk long after you've edited the file!

- From the whole discussion I get the idea that it's not that sure that
Windows respects a locked page in the sense as we're talking about it here.
Hibernation though is not an issue. Obviously if you hibernate, all pages
are written to disk. You simply shouldn't hibernate while editing a
sensitive document. Anyway, after the previous messages I'm not convident
enough Windows will keep my plaintext off of the disk, not even with
LockNote mentioned by Zach Himsel. So I'll just accept the extra trouble of
grabbing my laptop in case I need the file. I am confident enough that Linux
with crypted swap and partition will keep it safe. I don't want my Windows
partition containing the literal text "Password for root access to important
machine: geheim". Maybe all of it is overkill for my security needs, but
it's not that much trouble. I just remember that time when my FAT root
directory was wrecked, and I recovered schoolwork by searching the whole
partition for a rather unique phrase I remembered having used in the
document :).

Thanks all,

Peter.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBRkm4IPqr/97I5g4/AQLi2QP+NB2iRq4btjzmCx0HZk4k5zR7SHHnEgKK
IxiLGT6Y+8pKO23pWaK4y1YfxTKN2c8e70Xxzlk2u4oEdh1xiYUZk4E6CxxEE2wx
eSOxHV8sYQ2l2wkvcrGyJ6X5IP7JfRbguBEoWlmaVaiwKZArgUBbk+MGq4UJ8SXA
xQCFSC/5U9M=
=kbph
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list