Some considerations when using confidential data on a Unix system. The general idea here is to make it a bit harder to expose the plain text of an encrypted data file you are editing. This page is primarily for system administrators and application programmers.

RAM Disk

  • This really means a file system in volatile memory, not necessarily a ramdisk filesystem.
  • WP: tmpfs
    • Everything stored in tmpfs is temporary in the sense that no files will be created on the hard drive; however, swap space is used as backing store in case of low memory situations. On reboot, everything in tmpfs will be lost. The memory used by tmpfs grows and shrinks to accommodate the files it contains and can be swapped out to swap space.
  • Is there any value in encrypting a ramdisk?
  • /dev/shm exists on most systems and is type tmpfs.
  • Linux Ramdisk mini-HOWTO - tmpfs seems to be a better choice.
  • It is probably reasonable to purge files from a volatile file system after they reach a certain age. These could be abandoned plain text. Maybe find -mtime +1.

Suggested Procedure

  • Verify /dev/shm
    • mount | grep /dev/shm should show that tmpfs is mounted on /dev/shm.
    • ls -ld /dev/shm should show permissions drwxrwxrwt. (Note sticky bit.)
  • Create a working directory in /dev/shm for the user
    • mkdir /dev/shm/$LOGNAME
    • chmod 700 /dev/shm/$LOGNAME
  • It is a good idea to make sure your swap space is encrypted. Look for something like /dev/sda5 swap swap loop=/dev/loop0,encryption=AES128 in your /etc/fstab. Check out the specifics for your particular Linux distribution and remember this has implications for laptops that support suspend.
  • Insert some suggested script to purge old files here.

Security Consideration

Using a volatile file system helps minimize a lot of risks associated with editing sensitive data. It also creates a new one: an area of your file system to search for sensitive data.

vim

  • .swp files
    • .filename.swp
    • can be disabled with -n or noswapfile
  • backup files
    • nowritebackup and nobackup
    • -c "set nowritebackup nobackup"
  • .viminfo files
    • VIM Manual
    • stores state (including input lines) between editing sessions.
    • -i NONE will disable use of the .viminfo file
  • TODO: check out bufhidden=wipe.
  • use RAM disk

Suggested Procedure

  • Call vim with -i NONE -n -c "set nowritebackup nobackup".
    • Verify with: :set all during an editing session.

less

From the less man page

When the environment variable LESSSECURE is set to 1, less runs in a "secure" mode. This means these features are disabled:

  • ! the shell command
  • | the pipe command
  • :e the examine command.
  • v the editing command
  • s -o log files
  • -k use of lesskey files
  • -t use of tags files
  • metacharacters in filenames, such as * filename completion (TAB, ^L)

Less can also be compiled to be permanently in "secure" mode.

Suggested Procedure

  • Call less with LESSSECURE=1 in the environment.
    • Verify by testing the above commands while in less.

Other considerations

  • abandoned open files
  • signal handling
  • Many situations helped with ramdisk and per-user directories.
  • encrypted swap
  • FDE
  • encrypted folders