You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a user who works with sensitive data I want my laptop to encrypt all data in memory when it goes into hibernation so that it is safe from cold-boot attacks, and safe if my laptop is lost or stolen.
Implementation Notes
Where functionality is already supported/available, it still should be documented for usability purposes.
Acceptance Criteria
Full disk encryption that includes the boot partition. I believe ZFS should already support this.
Support for the AES family of encryption algorithms 128bit and 256bit, SHA256 and SHA512, CCM and GCM modes. I believe OpenZFS already supports these .. e,g. aes-256-gcm
Password based key derivation. Meaning upon boot, the boot loader will ask for a password to decrypt the drive. This password will be converted to an encryption key (very standard) for the decryption.
The ability to change this password at a later date without having to reencrypt the drive. ZFS has this.
[NEW to ZFS disk encryption] we need to be able to encrypt the swap partition or a swap file that stores the RAM from a hibernation event. Linux does something like this. https://wiki.alpinelinux.org/wiki/Full_disk_encryption_secure_boot
NOTE: Basically you setup the boot loader to look for a physical offset on the encrypted drive that houses the swap file. This is not a requirement it could be a swap partition. If the swap file is used and sitting on the / drive then if you encrypt the root drive you are by default encrypting the hibernation state. The trick is pointing the kernel to this location to decrypt it. Alternatively you can have the hibernation store state in the swap partition. In this case we just have to know the swap partition is encrypted.
When resuming a hibernation, invoke the boot loader, enter a password and resume the state from the swap file or swap partition.
The text was updated successfully, but these errors were encountered:
User Story
As a user who works with sensitive data I want my laptop to encrypt all data in memory when it goes into hibernation so that it is safe from cold-boot attacks, and safe if my laptop is lost or stolen.
Implementation Notes
Where functionality is already supported/available, it still should be documented for usability purposes.
Acceptance Criteria
NOTE: Basically you setup the boot loader to look for a physical offset on the encrypted drive that houses the swap file. This is not a requirement it could be a swap partition. If the swap file is used and sitting on the / drive then if you encrypt the root drive you are by default encrypting the hibernation state. The trick is pointing the kernel to this location to decrypt it. Alternatively you can have the hibernation store state in the swap partition. In this case we just have to know the swap partition is encrypted.
The text was updated successfully, but these errors were encountered: