Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: HOWTO: Encrypted swap partition

  1. #1
    Member elazar's Avatar
    Join Date
    Sep 2007
    Posts
    217

    Default HOWTO: Encrypted swap partition

    Dedicated to all of the paranoid nuts out there(if you work in the information security field or worse if its your hobby then you are probably paranoid, nuts goes without saying )

    DISCLAIMER: This can seriously damage your system if not configured correctly correctly. I, nor remote-exploit.com take any responsibility for any damage done to your system by following this tutorial. As always make that you have a good backup before starting.

    Now that we have that out of the way, here goes.

    1. You will need the cryptsetup and cryptsetup.static packages. Both packages can be downloaded from http://www.slackware.com/~alien/slac...p/pkg/current/ or you can build cryptsetup from source, http://luks.endorphin.org/dm-crypt

    2. Identify your swap partition:

    Code:
    swapon -s 
    Filename                                Type            Size    Used    Priority
    /dev/hda2                               partition       2096472 0       -2
    In my case, its hda2.

    3. Turn off swapping

    Code:
    swapoff -a
    4. Now, we are going to verify that cryptsetup works properly:

    Code:
    cryptsetup --cipher aes-cbc-essiv:sha256 --key-size 256 --key-file /dev/urandom create encryptedswap /dev/hda2
    If this command completes with no errors, then we are good to go. A quick note on essiv, the digest hash size for essiv cannot be larger than the keysize for the chosen symmetric algorithm, for example, aes-cbc-essiv:sha512 will not work because the maximum keysize for aes is 256.

    Now we can remove the encryptedswap device:

    Code:
    dmsetup remove encryptedswap
    5. This step is optional. It is advisable to shred your swap partition first:

    Code:
    shred -n 3 -z /dev/hdXX
    6. Now, here is the tricky part, we need to edit rc.S and rc.6 to setup/teardown the swap partition on startup/shutdown. The following scripts were taken from rc.S and rc.6 on Slackware 12(2.6.21.5SMP). Cryptsetup uses device-mapper, which requires udev to be started before setting up any devices, so we are going to need to move the udev section in rc.S.

    First backup rc.S and rc.6:

    Code:
     cp rc.S rc.S.back
     cp rc.6 rc.6.back
    Now, open rc.S in your favorite text editor, rc.S can be found in /etc/rc.d/. Locate the udev section(its a little less than halfway down), cut and paste it right after the hotplug section at the beginning of rc.S. Now, copy the following script, and paste it right before the swap section(Enable swapping).

    rc.S cryptsetup script
    Code:
       # Open any volumes created by cryptsetup:
    if [ -f /etc/crypttab -a -x /sbin/cryptsetup.static ]; then
      # First, check for device-mapper support.
      if ! grep -wq device-mapper /proc/devices ; then
        # If device-mapper exists as a module, try to load it.
        # Try to load a device-mapper kernel module:
        /sbin/modprobe -q dm-mod
      fi
      cat /etc/crypttab | grep -v "^#" | grep -v "^$" | while read line; do
        LUKS=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f1 -d' ')
        DEV=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f2 -d' ')
        PASS=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f3 -d' ')
        OPTS=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f4 -d' ')
        LUKSOPTS=""
        if echo $OPTS | grep -wq ro ; then LUKSOPTS="${LUKSOPTS} --readonly" ; fi
    
        # NOTE: we only support LUKS formatted volumes (except for swap)!
        if /sbin/cryptsetup.static isLuks $DEV 2>/dev/null ; then
          echo "Unlocking LUKS crypt volume '${LUKS}' on device '$DEV':"
          if [ -n "${PASS}" ]; then
            if [ -f ${PASS} ]; then
              /sbin/cryptsetup.static ${LUKSOPTS} --key-file=${PASS} luksOpen $DEV $LUKS
            elif [ "${PASS}" != "none" ]; then
              echo "${PASS}" | /sbin/cryptsetup.static ${LUKSOPTS} luksOpen $DEV $LUKS
            fi
          else
            for i in seq 1 3 ; do
              /sbin/cryptsetup.static ${LUKSOPTS} luksOpen $DEV $LUKS </dev/tty0 >/dev/tty0 2>&1
              [ $? -eq 0 ] && break
            done
          fi
        elif echo $OPTS | grep -wq swap ; then
          # If any of the volumes is to be used as encrypted swap,
          # then encrypt it using a random key and run mkswap:
          echo "Creating encrypted swap on device '$DEV' mapped to '${LUKS}':"
          /sbin/cryptsetup.static --cipher=aes-cbc-essiv:sha256 --key-file=/dev/urandom --key-size=256 create $LUKS $DEV
          mkswap /dev/mapper/$LUKS
        fi
      done
    fi
    A note on ciphers, I have found that twofish is faster on my system than aes, at the end of the day its performance and personal preference that are the deciding factors for your system. You can test algorithm speed by setting up another partition, encrypting it and testing rw speed with different algorithms.

    Save and close. Now open rc.6, locate the sync command(about 3/4 of the way down) and paste the following right after it:

    rc.6 cryptsetup script
    Code:
     # Close any volumes opened by cryptsetup:
    if [ -f /etc/crypttab -a -x /sbin/cryptsetup.static ]; then
      cat /etc/crypttab | grep -v "^#" | grep -v "^$" | while read line; do
        # NOTE: we only support LUKS formatted volumes (except for swap)!
        LUKS=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f1 -d' ')
        DEV=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f2 -d' ')
        OPTS=$(echo $line | tr '\t' ' ' | tr -s ' ' | cut -f4 -d' ')
        if /sbin/cryptsetup.static isLuks $DEV 2>/dev/null ; then
          echo "Locking LUKS crypt volume '${LUKS}':"
          /sbin/cryptsetup.static luksClose ${LUKS}
        elif echo $OPTS | grep -wq swap ; then
          # If any of the volumes was used as encrypted swap,
          # then run mkswap on the underlying device -
          # in case other Linux installations on this computer should use it:
          echo "Erasing encrypted swap '${LUKS}' and restoring normal swap on ${DEV}:"
          swapoff -a
          /sbin/cryptsetup.static remove ${LUKS}
          mkswap $DEV
        fi
      done
    fi
    7. Now we need to edit fstab and create a crypttab file so that the swap partition will be automatically initialized. Open your favorite text editor enter the following(replace hdXX with your swap partition):

    Code:
     encryptedswap /dev/hdXX none swap
    Save this file as crypttab in /etc

    8. Open /etc/fstab and remove(or comment) any lines pertaining to your swap partition and add the following:

    Code:
     #Encrypted Swap#
    /dev/mapper/encryptedswap none swap defaults 0 0
    Save and close

    9. Reboot and cross your fingers , verify that it picked up your swap partition by running

    Code:
     swapon -s
    E

  2. #2
    Member imported_blackfoot's Avatar
    Join Date
    Jun 2007
    Posts
    386

    Default testing

    Has this been tested with slax?

    There is a specific slax module available.

    The text has not been referenced to original source and should do so due to its nature as it is modified for swap.

    Can't we just download dm-crypt and use a simple cswap command and append it to crypttab accordingly?
    Lux sit

  3. #3
    Member elazar's Avatar
    Join Date
    Sep 2007
    Posts
    217

    Default

    Quote Originally Posted by blackfoot View Post
    Has this been tested with slax?
    There is a specific slax module available.

    The text has not been referenced to original source and should do so due to its nature as it is modified for swap.

    Can't we just download dm-crypt and use a simple cswap command and append it to crypttab accordingly?
    I am currently running this on BT2 Final. I wrote this tutorial, for some reason I was unable to post it in its entirety so I attached it instead. As far as dm-crypt, it is included in the mainline kernel, and I have not seen it compiled as a kernel module for download.

  4. #4
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    Call me stupid because I'm failing to see the point of encrypting just the swap partiton. Please explain

  5. #5
    Member elazar's Avatar
    Join Date
    Sep 2007
    Posts
    217

    Default

    Quote Originally Posted by purehate View Post
    Call me stupid because I'm failing to see the point of encrypting just the swap partiton. Please explain
    It is obviously best to encrypt the entire drive, however, if what is on your drive does not warrant encryption, but, if at any moment you are say logging into your online banking and your machine is utilizing the swap partition it is possible that the password can be stored in the swap partition and remain there after the machine is powered off, potentially allowing an attacker to see it. Its like the swap file on Windows. Do a quick google on swap file forensics and you will see what I am talking about...

  6. #6
    Member imported_blackfoot's Avatar
    Join Date
    Jun 2007
    Posts
    386

    Default encryption

    It is possible to encrypt a partition (fixed disk) to preserve confidentiality.

    However, almost everything is done in or through memory. On power down (if there is one) everything is deleted from memory. However during normal use some things are redistributed to swap. In such cases confidentiality might not be preserved, so swap can be encrypted also. It is normal at that time to encrypt the tmp partition too.

    The thread has provided a text which illustrates commands to enable that. However it is not advisable to use it for any other purpose as it defines a random key file which would render any other partition useless.

    Swap is encrypted as part of a security regime and not normally in isolation. BSD and most Linux based systems now provide for a program called cswap or encswap which does the operation with one simple command.
    Lux sit

  7. #7
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    Okay I understand now but in my personal case my laptop with 2G ram and a 1G swap (just for good measure) never hardly reaches the swap and its my understanding that if it does reach the swap the first in the stack is the program that's pushed to the swap. so for example if I booted up started snort and a honeyd dameon and then checked my banking the snort would be pushed to the swap if I were to run out of ram. I'm just curious and love talking about anything besides breaking wifi.

  8. #8
    Member elazar's Avatar
    Join Date
    Sep 2007
    Posts
    217

    Default

    Quote Originally Posted by purehate View Post
    Okay I understand now but in my personal case my laptop with 2G ram and a 1G swap (just for good measure) never hardly reaches the swap and its my understanding that if it does reach the swap the first in the stack is the program that's pushed to the swap. so for example if I booted up started snort and a honeyd dameon and then checked my banking the snort would be pushed to the swap if I were to run out of ram. I'm just curious and love talking about anything besides breaking wifi.
    I have 768MB and I barely use my 2GB swap(except with snort and sometimes nessus). I not sure but that sounds right. Here is a great link that explains it http://sourcefrog.net/weblog/softwar...rnel/swap.html

    E

  9. #9
    Member imported_blackfoot's Avatar
    Join Date
    Jun 2007
    Posts
    386

    Default swap

    Swap daemon activity depends on systems and BSD is different.

    A good link for Linux is here:

    http://www.linux-tutorial.info/modul...ent&pageid=311

    I chose this because it provides a good explanation of kernel threading in Linux. The daemon tends to assess processes for file locking and memory sharing and isolates on a time and use basis which is similar to your program being pushed up the stack but not quite.

    It is still important to bear in mind that we have been somewhat overtaken by technology. Memory and disk space are now much greater than when Linux/Unix was first developed. Good programs exploit garbage collection and less memory is blocked. Swap is therefore less critical as an indicator of an efficient system than in the past. Of course your allocations are in gigabytes. To some of us these are extremely large given that some of our best programs used to fit on a 5 1/4 inch floppy!

    Encryption of swap devices helps to preserve confidentiality given that local access is compromised or to deny forensics but should be used as part of a wider security strategy rather than alone.
    Lux sit

  10. #10
    Member elazar's Avatar
    Join Date
    Sep 2007
    Posts
    217

    Default

    Quote Originally Posted by blackfoot View Post
    Encryption of swap devices helps to preserve confidentiality given that local access is compromised or to deny forensics but should be used as part of a wider security strategy rather than alone.
    Couldn't have said it better myself I didn't see a point in writing a tutorial on data encryption with cryptsetup and the like because it is a pretty straight forward, however encrypted swap is another story altogether.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •