From owner-freebsd-security  Mon Jul 24 11:54: 9 2000
Delivered-To: freebsd-security@freebsd.org
Received: from ywing.creative.net.au (ywing.creative.net.au [203.56.168.34])
	by hub.freebsd.org (Postfix) with ESMTP
	id 4345A37B972; Mon, 24 Jul 2000 11:53:40 -0700 (PDT)
	(envelope-from adrian@ywing.creative.net.au)
Received: (from adrian@localhost)
	by ywing.creative.net.au (8.9.3/8.9.3) id VAA64125;
	Mon, 24 Jul 2000 21:00:42 +0200 (CEST)
	(envelope-from adrian)
Date: Mon, 24 Jul 2000 21:00:42 +0200
From: Adrian Chadd <adrian@FreeBSD.ORG>
To: Terje Elde <terje@elde.net>
Cc: Robert Watson <rwatson@FreeBSD.ORG>,
	Sheldon Hearn <sheldonh@uunet.co.za>,
	=?iso-8859-1?Q?Joachim_Str=F6mbergson?= <watchman@ludd.luth.se>,
	Greg Lewis <glewis@trc.adelaide.edu.au>, freebsd-security@FreeBSD.ORG
Subject: Re: Status of FreeBSD security work? Audit, regression and crypto swap?
Message-ID: <20000724210042.O62551@ywing.creative.net.au>
References: <Pine.BSF.4.21.0007181838570.28415-100000@achilles.silby.com> <Pine.NEB.3.96L.1000719165025.73365A-100000@fledge.watson.org> <20000720124805.D70017@dlt.follo.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <20000720124805.D70017@dlt.follo.net>; from terje@elde.net on Thu, Jul 20, 2000 at 12:48:05PM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, Jul 20, 2000, Terje Elde wrote:
> > Personally, my big fear is my notebook computer.  I can encrypt data on it
> > using command line tools, but I'd much rather see a device layer that I
> > can use to protect both swap and sensitive partitions.  Swap could use a
> > randomized key, and mounting of data partitions could rely on a
> > user-provided key for the device layer.  A crypto-fs might be more fun,
> > but if we have the facility to layer device access, we might as well use
> > that for a quicky solution.  It's easy for someone to walk off with
> > personal computing devices -- in the office, at home, at the airport, ...
> 
> For a "ugly hack, but up and running today" kinda solution, you could always
> do what I do... Use cfs (yes, the software tcfs is based on is running under
> freebsd, and is available in the ports collection) for your file systems, then
> swap to a file, on one of the encrypted file systems.
> 
> It's not a pretty sight, but it does the job.

Whats wrong with a bdev io layer like vinum/ccd which does crypto?
Then you could swap and filesystem to your block devices to your hearts
content with whatever filesystem you wanted?


Adrian

-- 
Adrian Chadd			Now 17-year-olds can't play a _video game_
<adrian@FreeBSD.org>		because its called violent -
				and real violence is still called dinner.
					-- jamie@mccarthy.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message