[arch-general] Encrypted ram disk?

Ciprian Dorin, Craciun ciprian.craciun at gmail.com
Wed Oct 28 13:13:51 EDT 2009 

On Tue, Oct 27, 2009 at 11:46 PM, Tamir Daniely <tamirdaniely at gmail.com> wrote:
> On Tue, Oct 27, 2009 at 10:34 PM, Karol Babioch <karol at babioch.de> wrote:
>
>> Hi,
>>
>> after setting up a full system encryption, which works just fine
>> basically, I know want to create a ram disk.
>>
>> I though that /tmp could be outsourced to a ram disk, to speed things
>> up.
>>
>> However I'm wondering whether it really makes sense to encrypt this. If
>> there is someone able to read my ram, there is nothing I can do about
>> it, so encryption wouldn't work, would it? Furthermore the content of
>> the RAM gets encrypted when suspending, as my swap partition is
>> encrypted. Moreover I think that it would slow down the ram disk, and
>> that the benefit wouldn't be that great at all.
>>
>> So what do you think, is there any rational reason to encrypt a ram
>> disk, or is it fair enough, when I just create an unencrypted one
>> for /tmp?
>>
>> Is there anything I can read about this topic?
>>
>> --
>> Best regards,
>> Karol Babioch <karol at babioch.de>
>>
>
> Hi,
>
> >From a technical prospective, reading ram post system shutdown or crash is
> definitely possible, the data is preserved for several minutes depending on
> the ram technology, and the time the data can be accessed can be increased
> significantly by cooling or freezing the ram itself.
>
> I might be wrong and this is generally speaking because I'm not a linux
> expert, but in my opinion a standard home pc wouldn't manage the processing
> requirements for encrypting a file system on the ram in real-time (At least
> not for any reasonable encyrptions) without major slowdowns. There are
> though hardware encryption solutions that could handle the workload of
> encrypting the ram in real time. You can look up information on
> cryptographic hardware if it interests you.
>
> I don't think this is realistic or necessery for home systems, I personally
> am not afraid of someone stealing my ram to get to my facebook password. And
> of course there are a lot easier ways to get the information.
>
> Shauros

    Hello all!

    As pointed, the encryption of a RAM disk would be useless, because
the data would in the end reach in the RAM, but in another portion.

    Also instead of using a RAM disk (like the one for init-rd) I
would advise you to use tmpfs, which was created specifically for this
purpose. (It has lower overhead, and it ocupies only as you use it.)
But in this case (as in the case of a RAM disk), encryption of swap is
mandatory.

    Just out of curiosity: what solution did you use for full system
encryption? And if this thread was started, what solutions do other
ArchLinux users recommend?

    Ciprian.

More information about the arch-general mailing list