From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from v4.tansi.org (ns.km33513-03.keymachine.de [87.118.94.3]) by mail.saout.de (Postfix) with ESMTP for ; Tue, 11 Jan 2011 10:19:24 +0100 (CET) Received: from gatewagner.dyndns.org (84-74-164-239.dclient.hispeed.ch [84.74.164.239]) by v4.tansi.org (Postfix) with ESMTPA id 6275D204BFD for ; Tue, 11 Jan 2011 10:11:48 +0100 (CET) Date: Tue, 11 Jan 2011 10:11:48 +0100 From: Arno Wagner Message-ID: <20110111091147.GA4260@tansi.org> References: <4D266EF9.6090904@gmail.com> <20110111000816.GC31936@rz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <20110111000816.GC31936@rz> Subject: Re: [dm-crypt] Dmcrypt and hibernate key disclosure List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de On Tue, Jan 11, 2011 at 01:08:16AM +0100, Richard wrote: > On Fri, Jan 07, 2011 at 09:40:09AM +0800, Aaron Lewis wrote: > > Hi, > > If i hibernate with an device opened , before i resume , an image was > > written on swap partition , will there be a problem with my secret key's > > disclosure ? > >=20 > > Just an off-line attack , if swap is not encrypted. >=20 > swap must be encrypted. Works nicely on Fedora, one boot partition and a > big encrypted dm0 device with several LVM partitions on top of it. >=20 Well, if you are not asked for the swap encryption key on wakeup, basically everything is open. That would be a rather=20 obvious implementation error though. If you get asked, then it depends on the implementation, but they do have the right idea. Arno --=20 Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.nam= e=20 GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of=20 "news" is "something that hardly ever happens." -- Bruce Schneier=20