Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.7: Disable Secure Virtual Memory System 10.7
At least in the MacBooks the Secure (encrypted) Virtual Memory is enabled by default. The option to disable it has been removed from the Security & Privacy General preference panel. One may check if it is enabled by running in Terminal the following command:
$ sysctl vm.swapusage
vm.swapusage: total = 64.00M  used = 0.00M  free = 64.00M  (encrypted)
To disable it from Terminal on previous OS X versions one could issue the command
$ sudo defaults write /Library/Preferences/com.apple.virtualMemory UseEncryptedSwap -boolean no
But that doesn't work anymore. It seems that 'UseEncryptedSwap' has been replaced with 'DisableEncryptedSwap.' So to disable the Secure Virtual Memory in Lion, one should issue the command:
$ sudo defaults write /Library/Preferences/com.apple.virtualMemory DisableEncryptedSwap -boolean yes
And then reboot. Checking again the secure virtual memory status one gets:
$ sysctl vm.swapusage
vm.swapusage: total = 64.00M  used = 0.00M  free = 64.00M 
Which means the encryption has gone.

To re-enable it run the command:
$ sudo defaults write /Library/Preferences/com.apple.virtualMemory DisableEncryptedSwap -boolean no
And then reboot.

The advantage should be just a slightly less overhead on the page in & out process. Personally I disabled it because I am having massive page outs just running safari, and I want to test if the situation improves. Maybe disabling the secure memory bypasses some bugs. Still it is here for reference.

[crarko adds: It is just here for reference. I expect 99.9+% of people should leave encrypted VM active. Otherwise things such as your passwords can be found in plain text by searching the swap file(s).]
    •    
  • Currently 2.31 / 5
  You rated: 4 / 5 (13 votes cast)
 
[21,217 views]  

10.7: Disable Secure Virtual Memory | 7 comments | Create New Account
Click here to return to the '10.7: Disable Secure Virtual Memory' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.7: Disable Secure Virtual Memory
Authored by: transeau on Sep 21, '11 09:55:15AM

at $45 for 8GB of DDR3-1333 SO-DIMM, I'm not sure it's worth doing this.



[ Reply to This | # ]
10.7: Disable Secure Virtual Memory
Authored by: Anonymous on Sep 21, '11 12:52:14PM

Seconded. If your OS is paging out, it needs more memory, not less security.



[ Reply to This | # ]
10.7: Disable Secure Virtual Memory
Authored by: dezzie on Sep 22, '11 01:30:31AM

On the other hand, if you have FileVault 2 enabled, is there any point encrypting the virtual memory?



[ Reply to This | # ]
10.7: Disable Secure Virtual Memory
Authored by: matsw on Sep 22, '11 12:03:14AM

Some people have 64 bit machines that are limited to 3GB RAM because of the chipset they use. Thanks Intel.



[ Reply to This | # ]
10.7: Disable Secure Virtual Memory
Authored by: Michelasso on Sep 22, '11 05:48:36AM

That indeed. Stuck with 3GB RAM ceiling. And Lion isn't helping either.



[ Reply to This | # ]
10.7: Disable Secure Virtual Memory
Authored by: Arakageeta on Sep 21, '11 07:57:19PM

This is a terrible idea. Let's just run the command "strings" on your swap space and see what we find. So many programs will store sensitive information (like passwords) in memory in the clear. Watch out if that memory gets swapped to disk and is unencrypted. The attack doesn't even require a user account. You can just remove a hard drive from a system, plug it in another, and do the same thing.



[ Reply to This | # ]
10.7: Disable Secure Virtual Memory
Authored by: Michelasso on Sep 26, '11 02:48:06AM

It is useful for reference. If one ever wonders if the secure virtual memory is enabled here there is the command to check it and in case to re-enable it back.

Some people like to dig into the insides of the OS. With this one can check if the virtual memory on clear really shows the passwords. It is good for research. Why everything has to be a "bad idea"? There is no good or bad, it's just a piece of technical information.



[ Reply to This | # ]