on standalone production boxes, for security and performance reasons, i typically encrypt swap partition, and mount /tmp on tmpfs. is there any reason *not* to do the same in a Xen DomU''s setup? Thanks. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Fajar A. Nugraha
2009-Jan-15 02:03 UTC
Re: [Xen-users] using encrypted swap & tmpfs in Xen DomUs ?
PGNet wrote:> on standalone production boxes, for security and performance reasons, > i typically encrypt swap partition, and mount /tmp on tmpfs. > > is there any reason *not* to do the same in a Xen DomU''s setup? > >Generally speaking best practices on standalone hosts should be apply on domU hosts. I am curious though, which reference points you that it''s good to encrypt swap while still having filesystem unencrypted? Regads, Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Wed, Jan 14, 2009 at 6:03 PM, Fajar A. Nugraha <fajar@fajar.net> wrote:> Generally speaking best practices on standalone hosts should be apply on > domU hosts.Sure, in general. But I''m looking for any Xen ''gotchas'', in partuclar, performance related issues due to ''communication & traffic'' between xen/hypervisor components. Tough to say specifically what I''m looking for, when I don''t know what I''m looking for ;-)> I am curious though, which reference points you that it''s good to > encrypt swap while still having filesystem unencrypted?Simply usage. Primarily, -- I need remote reboot capability ... iiuc, can''t do that if / is encrypted. -- Physical penetration is not an issue. -- My data & configs are all on attached/remote drives/servers that are encrypted, if/when required. Nothing''s on / that I care about anyway, so why take the performance hit? -- encrypted swap does provide some protection against buffer overflow attacks that don''t, necessarily, need to gain root (if they do, i''m hosed anyway), and dumping encrypted data in swap. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Fajar A. Nugraha
2009-Jan-15 08:36 UTC
Re: [Xen-users] using encrypted swap & tmpfs in Xen DomUs ?
On Thu, Jan 15, 2009 at 9:29 AM, PGNet <pgnet.trash+xen@gmail.com> wrote:> On Wed, Jan 14, 2009 at 6:03 PM, Fajar A. Nugraha <fajar@fajar.net> wrote: >> Generally speaking best practices on standalone hosts should be apply on >> domU hosts. > > Sure, in general. > > But I''m looking for any Xen ''gotchas'', in partuclar, performance > related issues due to ''communication & traffic'' between xen/hypervisor > components. >None that I know of. Encrypting a partition (including swap) should not add any additional I/O between dom0 and domU. The penalty would be on CPU, but if you can live with it on standalone boxes then it will be the same on domUs. Regards, Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users