It occurred to me that sensitive data can be leaked to the swap and the way SSDs store data makes it difficult to erase the data. Creating a swap partition was encouraged back in the days(idk if Anaconda still warns you if you don’t have a swap in the system). I don’t bother having a swap partition in my beefy PC build because from my experience, if your system craves swap you’re screwed anyway and do something about it. Granted, you still benefit from having a swap because the dormant region of the memory can be swapped no matter how much memory you have.
The problem is that I use laptops now. Laptops don’t come with a lot of memory and I resort to swapon when I have to do some heavy stuff. Then, it worries me: the swap is on SSD. Once data is written on a SSD, it’s really difficult to securely erase it.
I’ve got an idea: how about we borrow this idea from how SSDs do ATA secure erase? How about a systemd service(or a subsystem if you will) that sets up an encrypted swap for single use? SSDs are given random AES keys when manufactured and use them to encrypt the blocks. When you send the secure erase ATA command, the SSD simply just generates a new key and zero out the bitmap. This is how SSDs “lose” data without actually zeroing the whole thing. I think we can do the same thing with the swaps. Set up a new encrypted partition with dmcrypt on boot with randomly generated key(yes, we’re risking the low-entropy factor here), which stays in memory only. When rebooting the system, just detach the dm partition and poof! The data in the swap lost forever.
You can’t use SSDs if you’re worried about security anyways. But using swaps(which I think still encouraged) inadvertently fools security-aware users. I mean, how many of devs know how to mlock() and memset() the private keys and guarantee that they’re never optimised away? What about web browsers that don’t provide such mechanism?
Obviously, someone already thought about this. But no one seemed to have felt the need to organise this as a systemd service. Or I might have missed something. Please let me know before I go make this service script and create a request ticket!