How to encrypt swap on dsl
Forum: DSL Tips and Tricks
Topic: How to encrypt swap on dsl
started by: WDef
Posted by WDef on June 29 2007,13:11EDIT: Thought I'd preface this with a brief explanation since not everybody might be aware of why anyone would want to encrypt swap.
When using encryption of any kind - 3des, bcrypt, whatever - it's not always easy to know whether or not any sensitive plaintext data has been swapped out and written to your swap partition. Many programs "leak" sensitive information in this way. Any apps you're running may also swap out sensitive data, or portions of it.
This data can sometimes be recovered from your swap partition, sometimes surprising amounts of it. Even if it's been overwritten.
Hence, when using encryption programs, it's best to either disable swap altogether, or, if that is not an option, encrypt swap itself on the fly so that any attacker only finds gobbledegook in the swap partition.
It's easy to do this very securely on dsl with the loopaes v3.x extension, and with minimal performance penalties.
Run my script below to set this up if you can't be bothered with details.
1. Load loopaes-3.1d-2.4.26knpx_x86.dsl (or equivalent for other kernel), and run "Update_loopAES" from the fluxbox menu.
2. Suppose /dev/loop6 is free and your swap device is /dev/hda4
Do in a root shell:
# sed -i '/hda4/ d' /etc/fstab (delete the old swap line from /etc/fstab)
# echo ' /dev/hda4 none swap sw,loop=/dev/loop6,encryption=AES128 0 0' >>/etc/fstab
# dd if=/dev/zero of=/dev/hda4 bs=64k conv=notrunc
# mkswap /dev/hda4
Swap is now securely encrypted with aes128 using a random one-time key. Every time you do this, a different random key will be used.
Type losetup -a to see info about the encrypted loop setup.
(Actually if the updated loopaes v3.x loop driver and utils were included in the dsl base, I think it might be easy to add a boot option to encrypt swap this way. Running swapon -a will automatically run mkswap, and swapoff -a will pull down the loop device. So start up and shutdown scripts don't need to be changed.)
Posted by WDef on June 29 2007,19:09Here's a quick script to automate this.
If you already have enabled swap partitions, it will find and encrypt those. If you don't , it will prompt for you to select partitions (one at a time), then make encrypted swap out of your selections.
Borrowed bits from tripl, might integrate this into that.
Note: only briefly tested. Use AYOR.
Posted by WDef on July 08 2007,19:45Have an improved version of this, which I will put into the little tripl script, despite the fact that I don't get any help testing that on this forum (you sods, boo-hoo!)
But don't think you're especially snobby, the linux-crypto people also yawned at it - I don't think they trust OPS ("other people's scripts"). Must be emailing your password in the background to the Mafia, NSA, KGB, Martians, whatever.
I've got a more ambitious script that makes split-batch encrypted isos for archiving large amounts of data onto an optimized number of loopaes-mountable dvds/cds (runs on dsl), and can decrypt and mount a reassembled view of the lot via unionfs.
I remember nobody bothered much with dsl2unc for some time either, and for a while I wondered if I should have bothered posting.
Posted by Juanito on July 09 2007,03:45
I know this is not the post, but I noticed running dsl2unc on dsl-dpkg.dsl stopped it from working. I got around it by recreating the directories, using "touch placeholder" in the empty (but required) directory and adding this to the file list.
Maybe this could be a "feature" of dsl2unc?
Posted by WDef on July 09 2007,11:05Yes it's not really the right thread is it.
I'll check out the placeholder thing within a day or so, provides someone tests my tripl script !
Posted by curaga on July 09 2007,11:46That's blackmail :|
Posted by WDef on July 09 2007,22:37Keep your shirt on Curaga, I'm only kidding. I like getting feedback on dsl2unc, bugs etc
Since like other people I also like getting feedback on my other scripts (even if it's 'that sucks'), it is that much to ask that one or two members of the community help me test one of those, not to mention the loopaes modules that it uses?. One of the community offered to do so and hasn't.
I mean it might take 5 minutes.
Posted by curaga on July 10 2007,07:54That's how open source works. Suggest you read "how to become a hacker"
People do what they are interested in, that's how we get the most out of everyone.
If no-one except you is interested in that currently, then you will have to test by yourself..
side note: I use loop-aes 3.2 on my distro, but only for sensitive info, no need for swap encrypting..
As I already have something that works, I don't have interest in testing similar things again on some other distro. Just explaining why I don't test this
Posted by WDef on July 11 2007,12:31I know how it works :|
I was asking for a favor in the interests of any who might use those extensions. That's also how it works. Perhaps I should recommend some reading for you .... something about flaming perhaps.
Forget it. And let's remember in future that me responding to anything at all on this forum is also my perogative, according to "what I am interested in", and that's a promise not blackmail.