Swap and .eli
-
Hello fellow pfSense community members,
I wanted to ask if anyone has seen .eli enabled by default to protect from memory leaks inside fstab? I learned you can enable this and it runs aes on boot up so the swap is protected again it seems like a good item to have on by default for swap partitions. What are your thoughts ?
-
This is how it is enabled has anyone else used .eli inside pfsense before?
-
As I understand it that sets up the SWAP as encrypted which seems unnecessary. Also is likely to make it significantly slower and with a higher CPU overhead.
-
If you go over to FreeBSD forums there have been a bunch of discussions about this.
What happens is swap is encrypted with a one time key so if the device is rebooted, anything that was written is useless.
Also for a bad actor to get to your swap space, they've already compromised your firewall device.
Toss in the performance aspect and I think it's not useful on a pfSense device. That's just my opinion.
Where I think it may be useful is on laptops being used as a general use system, that travel and hibernate and may get stolen. -
@mer it’s on a external drive so if someone grabs it and takes it my credit card etc is not on the drive as it’s encrypted non readable. Again it’s not internally stored, FreeBSD forum recommendation was to use Eli for external usb swaps as they can be grabbed and walk off.