Search Members Help

» Welcome Guest
[ Log In :: Register ]

Mini-ITX Boards Sale, Fanless BareBones Mini-ITX, Bootable 1G DSL USBs, 533MHz Fanless PC <-- SALE $200 each!
Get The Official Damn Small Linux Book. DSL Market , Great VPS hosting provided by Tektonic
Pages: (2) </ [1] 2 >/

[ Track this topic :: Email this topic :: Print this topic ]

reply to topic new topic new poll
Topic: How to encrypt swap on dsl, This is an easy one< Next Oldest | Next Newest >
WDef Offline





Group: Members
Posts: 798
Joined: Sep. 2005
Posted: June 29 2007,13:11 QUOTE

EDIT:  Thought I'd preface this with a brief explanation since not everybody might be aware of why anyone would want to encrypt swap.

When using encryption of any kind - 3des, bcrypt, whatever - it's not always easy to know whether or not any sensitive plaintext data has been swapped out and written to your swap partition.  Many programs "leak" sensitive information in this way.  Any apps you're running may also swap out sensitive data, or portions of it.

This data can sometimes be recovered from your swap partition, sometimes surprising amounts of it.  Even if it's been overwritten.

Hence, when using encryption programs, it's best to either disable swap altogether, or, if that is not an option, encrypt swap itself on the fly so that any attacker only finds gobbledegook in the swap partition.

It's easy to do this very securely on dsl with the loopaes v3.x extension, and with minimal performance penalties.

Run my script below to set this up if you can't be bothered with details.

=================================

1. Load loopaes-3.1d-2.4.26knpx_x86.dsl (or equivalent for other kernel),  and run "Update_loopAES" from the fluxbox menu.

2. Suppose /dev/loop6 is free and your swap device is /dev/hda4

Do in a root shell:

# swapoff

# sed -i '/hda4/ d' /etc/fstab     (delete the old swap line from /etc/fstab)

# echo ' /dev/hda4   none   swap   sw,loop=/dev/loop6,encryption=AES128   0   0' >>/etc/fstab

# dd if=/dev/zero of=/dev/hda4 bs=64k conv=notrunc

# mkswap /dev/hda4

# swapon

That's it.

Swap is now securely encrypted with aes128 using a random one-time key.  Every time you do this, a different random key will be used.

Type losetup -a to see info about the encrypted loop setup.

(Actually if the updated loopaes v3.x loop driver and utils were included in the dsl base, I think it might be easy to add a boot option to encrypt swap this way.  Running swapon -a will automatically run mkswap, and swapoff -a will pull down the loop device.  So start up and shutdown scripts don't need to be changed.)
Back to top
Profile PM 
WDef Offline





Group: Members
Posts: 798
Joined: Sep. 2005
Posted: June 29 2007,19:09 QUOTE

Here's a quick script to automate this.

If you already have enabled swap partitions, it will find and encrypt those. If you don't , it will prompt for you to select partitions (one at a time), then make encrypted swap out of your selections.

Borrowed bits from tripl, might integrate this into that.

Note: only briefly tested.  Use AYOR.

================================================

Code Sample
#!/bin/bash

# encrypt_swap.sh v0.2 by wdef
# Sets up encrypted swaps

loopfree(){
A=$(losetup -a | cut -b 10)

if [ -z "$A" ]; then
NEXTLP=0
return 0
fi
Y=0
for i in $A; do
if [ $i -eq $Y ]; then
(( Y = i + 1 ))
continue
else
NEXTLP=$Y
return 0
fi
done
if [ $Y -eq $MAXLOOPS ]; then
return 1
else
NEXTLP=$Y
return 0
fi
}

#===================================================

WIPESWAP=yes  # first overwrite swaps to wipe clean
# WIPESWAP=no # in a hurry
MAXLOOPS=8

if [ $EUID -ne 0 ]; then echo "You're not root."; exit 1; fi

SWPS=$(awk '/^\/dev\//{print $1}' /proc/swaps)

if echo $SWPS | grep -q '/dev/loop'; then
echo "Looks like swap is encrypted already. Exiting .."
exit 0
fi

if [ -z "$SWPS" ]; then
echo "No swap devices found."
echo
echo "You have the following partitions:"
PARTITIONS="$(fdisk -l)"
echo "================================================"
echo "$PARTITIONS"
echo "================================================"
echo
SWPS=""
while true; do
echo -n "Enter partition to use as encrypted swap device (CNTRL-C = quit): "
read
if [ $(echo "${REPLY}" | wc -w) -gt 1 ]; then
echo "Please enter only one device at a time."; continue
fi
if [ ! -b "${REPLY}" ]; then
echo "${REPLY} is not a valid block device."; continue
fi
if ! echo $PARTITIONS | grep -q ${REPLY}; then
echo "${REPLY} is not a partition."; continue
fi
SWPS="${SWPS} ${REPLY}"
echo "You have entered device(s): ${SWPS}"
echo -n "Select more devices? (y/N) "
read RP
case $RP in
y|y*|Y|Y*) continue;;
n|n*|N|N*) break;;
esac
done
echo
echo "WARNING: Continuing will destroy data on ${SWPS} !"
echo "~~~~~~~"
while true; do
echo -n "Last chance to exit. Are you sure you want to proceed? (YeS/n) "
read
case $REPLY in
YeS) break;;
n|N|n*|N*) exit 0;;
y|y*|Y|Yes|YE*) echo "You must type YeS to proceed.";;
*) echo "Invalid response.";;
esac
done
else
NSWP=$(echo $SWPS | wc -w)
NUMSWP=${NSWP##*[ ]}
echo "Encrypting $NUMSWP found swap device(s):"
echo "${SWPS}"
fi


sed -i '/swap/ d' /etc/fstab

for S in ${SWPS}; do
if ! loopfree; then echo "Error: no free loops. Exiting ..."; exit 1; fi
[ -n "$NUMSWP" ] && swapoff ${S}
echo "Enabling encrypted swap on ${S} .."
[ $WIPESWAP = yes ] && dd if=/dev/zero of=${S} bs=64k conv=notrunc &>/dev/null
echo "${S}    none   swap   sw,loop=/dev/loop$NEXTLP,encryption=AES128   0   0" >>/etc/fstab
swapon -a
done
rm -rf /var/log/ksymoops  # not needed for dsl
echo "Finished."


exit 0
Back to top
Profile PM 
WDef Offline





Group: Members
Posts: 798
Joined: Sep. 2005
Posted: July 08 2007,19:45 QUOTE

Have an improved version of this, which I will put into the little tripl script, despite the fact that I don't get any help testing that on this forum (you sods, boo-hoo!)

But don't think you're especially snobby, the linux-crypto people also yawned at it  - I don't think they trust OPS ("other people's scripts").  Must be emailing your password in the background to the Mafia, NSA, KGB, Martians, whatever.

I've got a more ambitious script that makes split-batch encrypted isos for archiving large amounts of data onto an optimized number of loopaes-mountable dvds/cds (runs on dsl), and can decrypt and mount a reassembled view of the lot via unionfs.

I remember nobody bothered much with dsl2unc for some time either, and for a while I wondered if I should have bothered posting.
Back to top
Profile PM 
Juanito Offline





Group: Members
Posts: 1601
Joined: Sep. 2005
Posted: July 09 2007,03:45 QUOTE

Quote
I remember nobody bothered much with dsl2unc for some time either

I know this is not the post, but I noticed running dsl2unc on dsl-dpkg.dsl stopped it from working. I got around it by recreating the directories, using "touch placeholder" in the empty (but required) directory and adding this to the file list.

Maybe this could be a "feature" of dsl2unc?
Back to top
Profile PM 
WDef Offline





Group: Members
Posts: 798
Joined: Sep. 2005
Posted: July 09 2007,11:05 QUOTE

Yes it's not really the right thread is it.

I'll check out the placeholder thing within a day or so, provides someone tests my tripl script !
Back to top
Profile PM 
8 replies since June 29 2007,13:11 < Next Oldest | Next Newest >

[ Track this topic :: Email this topic :: Print this topic ]

Pages: (2) </ [1] 2 >/
reply to topic new topic new poll
Quick Reply: How to encrypt swap on dsl

Do you wish to enable your signature for this post?
Do you wish to enable emoticons for this post?
Track this topic
View All Emoticons
View iB Code