Re: [Tails-dev] Why does tails now have a swap partition

Supprimer ce message

Répondre à ce message
Auteur: David A. Wheeler
Date:  
À: Kenneth Morris
CC: The Tails public development discussion list
Sujet: Re: [Tails-dev] Why does tails now have a swap partition


> On 8/20/24 21:25, David A. Wheeler wrote:
>> Tails currently swaps to "zram". This is a swap device in *RAM*. It works by
>> compressing the memory before swapping it to zram. It's never written to
>> a permanent storage device, so there are no fundamental impacts;
> On Aug 25, 2024, at 2:10 AM, Kenneth Morris <patsy4612@???> wrote:
>
> ...
> I was and am concerned about swapping to disk like persistent storage since that is only part of tails is not in RAM if my understanding is correct.


To my knowledge, today everything in Tails is in RAM unless you *expressly*
mount it. If you mount the persistent storage, for example, then that's not in RAM.
You can also mount other drives (e.g., regular USB sticks); again
those aren't in RAM. You have to expressly mount storage, though; if you
don't specifically ask for storage access, it's all in RAM.


>> There's been discussion about swapping on a USB stick itself:
>
> Hopefully not onto the persistent storage partition?
> There have been instances where individuals have faced legal repercussions due to sensitive information being recovered from swap partitions. This has raised alarms about the potential for compromising confidential data, especially in environments where privacy is paramount.


The swap could go outside RAM without loss of confidentiality
*if* the swap on storage is properly encrypted. After all, the persistent storage
itself is stored, but encryption prevents its revelation. The same logic would apply.

This is not something Tails currently does; it's under discussion:
https://gitlab.tails.boum.org/tails/tails/-/issues/19442
Obviously this must be implemented *correctly*, so they're going slow.

If this ability were added, I suspect that you'd have to *enable* it
(it would not be on by default). Some people will worry about swapping
to storage no matter what safeguards are taken, *and* doing this
also risks significantly increased wear on the storage device
(risking loss of availability).

In addition, the swap to storage
would probably be encrypted using an ephemeral cryptographic key,
that is, a cryptographic that's only available in RAM
and is not readable by the normal user. When the computer turns off,
the swap would instantly become unreadable,
since the swap is encrypted and the key is never
persistently stored. That's not the *only* way to implement this, but if
it's ever implemented, that seems the most likely approach.
It's not clear that the swap would be *in* the persistent storage or
in its own partition.

--- David A. Wheeler