encrypted swap

David Mandelberg mandelbergd at eth0.is-a-geek.org
Wed Jan 5 12:28:59 CST 2005

One of my biggest desktop security peeves is how easy it is to get confidential
data (e.g. credit card numbers) from swap devices. This is relatively easy to
fix, all that's necessary is using cryptoloop or something similar with the
first n bytes of /dev/random as the key for the swap device. Once the system
shuts down, the key is gone (it is stored in RAM only), so recovering data from
the swap partition is near impossible.

Encrypted swap is not hard to set up. Cryptsetup (in universe) only needs a
small amount of configuring and, as long as the kernel is >= 2.6.4 and supports
dm-crypt, it's easy to get encrypted swap.

The only OS/distribution that I know of that currently does this by default is
OpenBSD, but there's no reason why Ubuntu shouldn't be the next.

If anybody is interested, I might make a patch to d-i to make it set up
/etc/fstab correctly for encrypted swap and provide safe default configuration
for cryptsetup.

Version: 3.1
GAT/CM$/CS>$/CC/IT$/M/S/O/U dpu s+:++ !a C++$>C+++$
UB+++>++++$L++++$*-- P+>++$ L+++(++++)$ E-(---) W+++>$ N(+) o? K-
w--(---) O? M V? PS++@ PE-@ Y+@ PGP++(+++)>$ t? 5? X? R tv--(-)
b++(+++)@ DI? D? G e->++++ h* r? z*

David Mandelberg
mandelbergd at eth0.is-a-geek.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.ubuntu.com/archives/ubuntu-devel/attachments/20050105/07fb7e8d/signature.pgp

More information about the ubuntu-devel mailing list