Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 7 Sep 2010 03:33:27 -0700
From:      Jeremy Chadwick <freebsd@jdc.parodius.com>
To:        Carl <k0802647@telus.net>
Cc:        freebsd-fs@freebsd.org, Pawel Jakub Dawidek <pjd@FreeBSD.org>
Subject:   Re: geli'd swap and core dumps
Message-ID:  <20100907103327.GA12222@icarus.home.lan>
In-Reply-To: <4C860FAC.5070700@telus.net>
References:  <4C834D1A.2010405@telus.net> <20100905150344.GD1900@garage.freebsd.pl> <4C860FAC.5070700@telus.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Sep 07, 2010 at 03:10:52AM -0700, Carl wrote:
> On 2010-09-05 8:03 AM, Pawel Jakub Dawidek wrote:
> >>What are best practices for achieving encrypted swap and functional core
> >>dump recovery? Or are these mutually exclusive goals?
> >
> >Well, the idea to encrypt swap is to prevent any sensitive data to be
> >stored on disk unencrypted where it might last for a long time.
> >If you configure to dump kernel memory to a disk (kernel dumps are not
> >encrypted) you kinda miss the point, as kernel memory can contain a lot
> >of sensitive data.
> 
> It makes sense that best practice would be to disable the dump
> device, yet it appears dumpdev is set to AUTO as the default on
> current versions of FreeBSD. Does AUTO imply a behaviour that will
> intelligently recognize the lack of a functional dumpdev in the case
> of a geli'd swap or do I need to explicitly set dumpdev to NO to
> avoid errors on normal startups or even bad behaviour during a
> kernel panic?

dumpdev="auto" results in the system rc scripts examining /etc/fstab to
look for any swap slices you've defined there.

If there are none listed in /etc/fstab, then you should set the dump
device explicitly using dumpdev="/dev/xxx" syntax.  If there are some in
/etc/fstab which you don't want to use, apply the same advice.

-- 
| Jeremy Chadwick                                   jdc@parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100907103327.GA12222>