Can macOS's ramdisk be swapped to disk by the operating system?

I want to create a secret provisioning systems that on deployment decrypts secrets on the target machine and put them in RAM. They should be accessible as file so that services on the same machine can open them

On Linux there is a file-system called ramfs that will never be swapped out to disk. On macOS there seems to be only a ramdisk. Does this ramdisk get swapped to the disk by the operating system (which would put the secret data on disk)?


Solution 1:

Since macOS High Sierra 10.13.x the virtual memory "swapfile(s)" have been encrypted even if FileVault2 disk encryption is off. Obviously, I would test that theory and review any CVE reports and validate it.

https://support.apple.com/guide/mac-help/what-is-secure-virtual-memory-on-mac-mh11852/mac

You might be scratching your left ear with your right hand roundabout the hard way. Consider creating an additional keychain and using that instead. It's far more secure and this is precisely what keychains are designed to accomplish. They secure secrets.

Developer API Docs: https://developer.apple.com/documentation/security

Command line (scripting): man security

Solution 2:

Yes, RAM disks created by hdiutil are in ordinary, swappable memory. You might find another way to lock the memory, but Apple's tools do not support creating a RAM disk with wired memory. I found some documentation saying hdiutil might support it in a roundabout way, but I tested it and found that in Catalina 10.5.6 the kernel will not allow it.

If you are worried about a secret in memory being written out to disk via swap, you are going to have to find another way.