Tails documentation comments that swap may be the biggest threat to anti-forensics on Linux when running in a VM:
https://tails.boum.org/doc/advanced_topics/virtualization/index.en.html#security
Choices for dealing with swap:
Linux does use swapping despite having apparent “free” memory. The kernel tends to swap out long-inactive and memory -consuming processes. This frees up RAM for caches, thus improves responsiveness.
vm.swappiness = 0 does not completely prevent swapping.
Turning off for the whole system is not recommended because hitting the hard limit might cause a system crash. However it may be worth it for some usecases. It can be done by running sudo swapoff -a and rebooting.
An alternative libvirt only solution is to set guest memory pages to being locked:
<memoryBacking><locked/></memoryBacking>
When set and supported by the hypervisor, memory pages belonging to the domain will be locked in host’s memory and the host will not be allowed to swap them out, which might be required for some workloads such as real-time. For QEMU/KVM guests, the memory used by the QEMU process itself will be locked too: unlike guest memory, this is an amount libvirt has no way of figuring out in advance, so it has to remove the limit on locked memory altogether. Thus, enabling this option opens up to a potential security risk: the host will be unable to reclaim the locked memory back from the guest when it’s running out of memory, which means a malicious guest allocating large amounts of locked memory could cause a denial-of-service attack on the host. Because of this, using this option is discouraged unless your workload demands it; even then, it’s highly recommended to set a
hard_limit
(see memory tuning) on memory allocation suitable for the specific environment at the same time to mitigate the risks described above.
Which of these techniques should be recommended on the wiki?
Offtopic:
Should we recommend users run the live package on the GW too? I imagine there shouldn’t be any practical dangers after a guard node is set. However things like cached DNS requests or whatever else should be gone safely.