Austin S. Hemmelgarn posted on Mon, 28 Mar 2016 08:35:59 -0400 as excerpted: > The other caveat that nobody seems to mention outside of specific cases > is that using suspend to disks exposes you to direct attack by anyone > with the ability to either physically access the system, or boot an > alternative OS on it. This is however not a Linux specific issue > (although Windows and OS X do a much better job of validating the > hibernation image than Linux does before resuming from it, so it's not > as easy to trick them into loading arbitrary data). I believe that within the kernel community, it's generally accepted that physical access is to be considered effectively full root access, because there's simply too many routes to get root if you have physical access to practically control them all. I've certainly read that. Which is what encryption is all about, including encrypted / (via initr*) if you're paranoid enough, as that's considered the only effective way to thwart physical-access == root-access. And even that has some pretty big assumptions if physical access is available, including that no hardware keyloggers or the like are planted, as that would let an attacker simply log the password or other access key used. One would have to for instance use a wired keyboard that they kept on their person (or inspect the keyboard, including taking it apart to check for loggers), and at minimum visually inspect its connection to the computer, including having a look inside the case, to be sure, before entering their password. Or store the access key on a thumbdrive kept on the person, etc, and still inspect the computer left behind for listening/ logging devices... In practice it's generally simpler to just control physical access entirely, to whatever degree (onsite video security systems with tamper- evident timestamping... kept in a vault, missile silo, etc) matches the extant paranoia level. Tho hosting the swap, and therefore hibernation data, on an encrypted device that's setup by the initr* is certainly possible, if it's considered worth the trouble. Obviously that's going to require jumping thru many of the same hoops that (as mentioned upthread) splitting the hibernate image between devices will require, as it generally uses the same underlying initr*-based mechanisms. I'd certainly imagine the Snowden's of the world will be doing that sort of thing, among the multitude of security options they must take. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
