OESF Portables Forum
Model Specific Forums => Sharp Zaurus => Zaurus - pdaXrom => Topic started by: daniel3000 on January 09, 2007, 08:53:40 am
-
Hello,
using a password manager (PWM/PI or similar) or in general programs which encrypt data has one caveat: if RAM, which holds decrypted data, is swapped to disk, the decrypted data may be stored for some time on the disk and may be found using searches on the disk device, even after the applicatoin has been closed.
Is there a way to prevent this?
I have heard Linux may be able to encrypt its swap. Is this possible on pdaXrom?
Or is there a way to tell a program not to use the swap at all (or to tell Linux not to swap data of a specific program)?
Thanks
daniel
-
I'd have to say that considering your Z, which is used by you alone and not a multi-user system, it is probably fairly safe from this sort of attack.
Perhaps an option is to have a script so that when the password app is run, swap is disabled (swapoff -a).
Most password managers will decrypt a single password (unless you select to view them all) and to 'forget' the decrypted password after a few seconds inactivity.
I've got an APM.d script that when I suspend, it will kill all password programs first.
- Bundabrg
-
Hello Bundabrg,
I am so paranoid because my first C3000 got stolen. So I worried about if the thief could reveal my passwords that way. Of course it would have needed a lot of knowledge, which the average PDA thief will probably not have, but who knows.
And having stored lots of valuable passwords there, I wanted to be sure and took a day to modify all passwords and pins after the theft.
I used to use PWM/PI which works the way you describe (only decrypt one PW, then forgetting it). But I plan to switch to another application which does it another way (decrypting the entire file). So that danger is even higher.
a swapoff -a via script is a good idea, however, it can lead to problems when a lot of applications are open when I want to access a password.
I have read some web pages about this topic, and there indeed are ways to encrypt the Linux swap space by setting up an encrypted loop device, but they all seem to require aes or other encryption kernel modules, which are not available in pdaXrom.
Or did anyone compile these modules already?
I always wanted to set up a cross compiling environment for pdaXrom, but never had the time to do so.
Another issue might be performance. If swapping action is slowed down by encryption and decryption, it may slow down the entire system significantly.
daniel
-
I'm using bestcrypt which works perfectly on beta3. I have a script which looks like this:
crypt_start.sh:
#!/bin/bash
/etc/rc.d/init.d/bcrypt start
if [ ! -f "/storage/work/.exists" ]; then
bctool mount /storage/work.dsk /storage/work
fi
crypt_end.sh:
#!/bin/bash
bctool umount /storage/work
/etc/rc.d/init.d/bcrypt stop
you can get my bestcrypt package (with all kernel modules) from here
http://z.drun.net/files/active/0/bestcrypt....7_armv5tel.ipk (http://z.drun.net/files/active/0/bestcrypt_1.6.7_armv5tel.ipk)