Pierre-Elliott Bécue dixit: >> In a cronjob, I basically do swapoff && cryptdisks_stop && \ >> cryptdisks_start && swapon for both swaps individually to throw away >> the old encryption key regularily (but not too frequently). > >Ooc, what do you expect to actually gain from this setup?
Encryption key rotation. Pages encrypted with the old key are no longer readable afterwards. This is for long-running VMs, on hoster infra, mostly (so the hoster could snapshot the storage any time (ok, they could also snapshot the RAM, but…)). This is to get a bit closer to swapencrypt on BSD, which uses separate keys for each page or set of pages, AIUI. bye, //mirabilos -- Solange man keine schmutzigen Tricks macht, und ich meine *wirklich* schmutzige Tricks, wie bei einer doppelt verketteten Liste beide Pointer XORen und in nur einem Word speichern, funktioniert Boehm ganz hervorragend. -- Andreas Bogk über boehm-gc in d.a.s.r
