DSL Tips and Tricks :: How to encrypt swap on dsl



EDIT:  Thought I'd preface this with a brief explanation since not everybody might be aware of why anyone would want to encrypt swap.

When using encryption of any kind - 3des, bcrypt, whatever - it's not always easy to know whether or not any sensitive plaintext data has been swapped out and written to your swap partition.  Many programs "leak" sensitive information in this way.  Any apps you're running may also swap out sensitive data, or portions of it.

This data can sometimes be recovered from your swap partition, sometimes surprising amounts of it.  Even if it's been overwritten.

Hence, when using encryption programs, it's best to either disable swap altogether, or, if that is not an option, encrypt swap itself on the fly so that any attacker only finds gobbledegook in the swap partition.

It's easy to do this very securely on dsl with the loopaes v3.x extension, and with minimal performance penalties.

Run my script below to set this up if you can't be bothered with details.

=================================

1. Load loopaes-3.1d-2.4.26knpx_x86.dsl (or equivalent for other kernel),  and run "Update_loopAES" from the fluxbox menu.

2. Suppose /dev/loop6 is free and your swap device is /dev/hda4

Do in a root shell:

# swapoff

# sed -i '/hda4/ d' /etc/fstab     (delete the old swap line from /etc/fstab)

# echo ' /dev/hda4   none   swap   sw,loop=/dev/loop6,encryption=AES128   0   0' >>/etc/fstab

# dd if=/dev/zero of=/dev/hda4 bs=64k conv=notrunc

# mkswap /dev/hda4

# swapon

That's it.

Swap is now securely encrypted with aes128 using a random one-time key.  Every time you do this, a different random key will be used.

Type losetup -a to see info about the encrypted loop setup.

(Actually if the updated loopaes v3.x loop driver and utils were included in the dsl base, I think it might be easy to add a boot option to encrypt swap this way.  Running swapon -a will automatically run mkswap, and swapoff -a will pull down the loop device.  So start up and shutdown scripts don't need to be changed.)

Here's a quick script to automate this.

If you already have enabled swap partitions, it will find and encrypt those. If you don't , it will prompt for you to select partitions (one at a time), then make encrypted swap out of your selections.

Borrowed bits from tripl, might integrate this into that.

Note: only briefly tested.  Use AYOR.

================================================

Code Sample
#!/bin/bash

# encrypt_swap.sh v0.2 by wdef
# Sets up encrypted swaps

loopfree(){
A=$(losetup -a | cut -b 10)

if [ -z "$A" ]; then
NEXTLP=0
return 0
fi
Y=0
for i in $A; do
if [ $i -eq $Y ]; then
(( Y = i + 1 ))
continue
else
NEXTLP=$Y
return 0
fi
done
if [ $Y -eq $MAXLOOPS ]; then
return 1
else
NEXTLP=$Y
return 0
fi
}

#===================================================

WIPESWAP=yes  # first overwrite swaps to wipe clean
# WIPESWAP=no # in a hurry
MAXLOOPS=8

if [ $EUID -ne 0 ]; then echo "You're not root."; exit 1; fi

SWPS=$(awk '/^\/dev\//{print $1}' /proc/swaps)

if echo $SWPS | grep -q '/dev/loop'; then
echo "Looks like swap is encrypted already. Exiting .."
exit 0
fi

if [ -z "$SWPS" ]; then
echo "No swap devices found."
echo
echo "You have the following partitions:"
PARTITIONS="$(fdisk -l)"
echo "================================================"
echo "$PARTITIONS"
echo "================================================"
echo
SWPS=""
while true; do
echo -n "Enter partition to use as encrypted swap device (CNTRL-C = quit): "
read
if [ $(echo "${REPLY}" | wc -w) -gt 1 ]; then
echo "Please enter only one device at a time."; continue
fi
if [ ! -b "${REPLY}" ]; then
echo "${REPLY} is not a valid block device."; continue
fi
if ! echo $PARTITIONS | grep -q ${REPLY}; then
echo "${REPLY} is not a partition."; continue
fi
SWPS="${SWPS} ${REPLY}"
echo "You have entered device(s): ${SWPS}"
echo -n "Select more devices? (y/N) "
read RP
case $RP in
y|y*|Y|Y*) continue;;
n|n*|N|N*) break;;
esac
done
echo
echo "WARNING: Continuing will destroy data on ${SWPS} !"
echo "~~~~~~~"
while true; do
echo -n "Last chance to exit. Are you sure you want to proceed? (YeS/n) "
read
case $REPLY in
YeS) break;;
n|N|n*|N*) exit 0;;
y|y*|Y|Yes|YE*) echo "You must type YeS to proceed.";;
*) echo "Invalid response.";;
esac
done
else
NSWP=$(echo $SWPS | wc -w)
NUMSWP=${NSWP##*[ ]}
echo "Encrypting $NUMSWP found swap device(s):"
echo "${SWPS}"
fi


sed -i '/swap/ d' /etc/fstab

for S in ${SWPS}; do
if ! loopfree; then echo "Error: no free loops. Exiting ..."; exit 1; fi
[ -n "$NUMSWP" ] && swapoff ${S}
echo "Enabling encrypted swap on ${S} .."
[ $WIPESWAP = yes ] && dd if=/dev/zero of=${S} bs=64k conv=notrunc &>/dev/null
echo "${S}    none   swap   sw,loop=/dev/loop$NEXTLP,encryption=AES128   0   0" >>/etc/fstab
swapon -a
done
rm -rf /var/log/ksymoops  # not needed for dsl
echo "Finished."


exit 0

Have an improved version of this, which I will put into the little tripl script, despite the fact that I don't get any help testing that on this forum (you sods, boo-hoo!)

But don't think you're especially snobby, the linux-crypto people also yawned at it  - I don't think they trust OPS ("other people's scripts").  Must be emailing your password in the background to the Mafia, NSA, KGB, Martians, whatever.

I've got a more ambitious script that makes split-batch encrypted isos for archiving large amounts of data onto an optimized number of loopaes-mountable dvds/cds (runs on dsl), and can decrypt and mount a reassembled view of the lot via unionfs.

I remember nobody bothered much with dsl2unc for some time either, and for a while I wondered if I should have bothered posting.

Quote
I remember nobody bothered much with dsl2unc for some time either

I know this is not the post, but I noticed running dsl2unc on dsl-dpkg.dsl stopped it from working. I got around it by recreating the directories, using "touch placeholder" in the empty (but required) directory and adding this to the file list.

Maybe this could be a "feature" of dsl2unc?

Yes it's not really the right thread is it.

I'll check out the placeholder thing within a day or so, provides someone tests my tripl script !

Next Page...
original here.