Date: Tue, 7 Sep 2010 03:33:27 -0700 From: Jeremy Chadwick <freebsd@jdc.parodius.com> To: Carl <k0802647@telus.net> Cc: freebsd-fs@freebsd.org, Pawel Jakub Dawidek <pjd@FreeBSD.org> Subject: Re: geli'd swap and core dumps Message-ID: <20100907103327.GA12222@icarus.home.lan> In-Reply-To: <4C860FAC.5070700@telus.net> References: <4C834D1A.2010405@telus.net> <20100905150344.GD1900@garage.freebsd.pl> <4C860FAC.5070700@telus.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 07, 2010 at 03:10:52AM -0700, Carl wrote: > On 2010-09-05 8:03 AM, Pawel Jakub Dawidek wrote: > >>What are best practices for achieving encrypted swap and functional core > >>dump recovery? Or are these mutually exclusive goals? > > > >Well, the idea to encrypt swap is to prevent any sensitive data to be > >stored on disk unencrypted where it might last for a long time. > >If you configure to dump kernel memory to a disk (kernel dumps are not > >encrypted) you kinda miss the point, as kernel memory can contain a lot > >of sensitive data. > > It makes sense that best practice would be to disable the dump > device, yet it appears dumpdev is set to AUTO as the default on > current versions of FreeBSD. Does AUTO imply a behaviour that will > intelligently recognize the lack of a functional dumpdev in the case > of a geli'd swap or do I need to explicitly set dumpdev to NO to > avoid errors on normal startups or even bad behaviour during a > kernel panic? dumpdev="auto" results in the system rc scripts examining /etc/fstab to look for any swap slices you've defined there. If there are none listed in /etc/fstab, then you should set the dump device explicitly using dumpdev="/dev/xxx" syntax. If there are some in /etc/fstab which you don't want to use, apply the same advice. -- | Jeremy Chadwick jdc@parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20100907103327.GA12222>