Security Flaw in Popular Disk Encryption Technologies
Pawel Jakub Dawidek
pjd at FreeBSD.org
Tue Feb 26 12:51:47 UTC 2008
On Sat, Feb 23, 2008 at 02:08:54PM +1300, Atom Smasher wrote:
> article below. does anyone know how this affects eli/geli?
>
> from the geli man page: "detach - Detach the given providers, which means
> remove the devfs entry and clear the keys from memory." does that mean
> that geli properly wipes keys from RAM when a laptop is turned off?
Yes, geli tries to clear sensitive informations on detach (mostly keys).
I use a script to suspend my laptop, which detach my encrypted partition
before suspend. In perforce I've suspend/resume geli(8) subcommands that
helps a bit here - on 'geli suspend' command the keys are cleared and
all I/O requests are suspended until 'geli resume' provides proper keys.
This way one doesn't have to unmount file systems to allow 'geli detach'
to succeed.
Of course even if keys are cleared there could still be important data
in RAM (eg. file system's buffer cache).
--
Pawel Jakub Dawidek http://www.wheel.pl
pjd at FreeBSD.org http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20080226/53108a10/attachment.pgp
More information about the freebsd-hackers
mailing list