encrypted swap
John Richard Moser
nigelenki at comcast.net
Thu Jan 6 17:26:26 CST 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Not really that hard.
Modify ubuntu's boot scripts so that before swap is activated, something
like /etc/crypts.conf is read in. If there's a cryptoswap in there,
appropriate swap encryption can be done.
Here's an example of me doing encrypted swap manually:
# swapoff /dev/hda2
# cryptsetup -d /dev/random -s 256 create swap /dev/hda2
# mkswap /dev/mapper/swap
# swapon /dev/mapper/swap
This means of course that you lose verification; swapon normally looks
at vfat, reiser, ext2, etc and goes "Uh. That's not swap space."
You don't even really need an initrd to do this unless you're doing this
to /. An encrypted / can only be done from initrd :)
David Mandelberg wrote:
| One of my biggest desktop security peeves is how easy it is to get
confidential
| data (e.g. credit card numbers) from swap devices. This is relatively
easy to
| fix, all that's necessary is using cryptoloop or something similar
with the
| first n bytes of /dev/random as the key for the swap device. Once the
system
| shuts down, the key is gone (it is stored in RAM only), so recovering
data from
| the swap partition is near impossible.
|
| Encrypted swap is not hard to set up. Cryptsetup (in universe) only
needs a
| small amount of configuring and, as long as the kernel is >= 2.6.4 and
supports
| dm-crypt, it's easy to get encrypted swap.
|
| The only OS/distribution that I know of that currently does this by
default is
| OpenBSD, but there's no reason why Ubuntu shouldn't be the next.
|
| If anybody is interested, I might make a patch to d-i to make it set up
| /etc/fstab correctly for encrypted swap and provide safe default
configuration
| for cryptsetup.
|
|
- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB3ckhhDd4aOud5P8RAmsFAKCQURT8OCm8GqmusC9P+U5ls1HFcgCfS2EE
cYq1TKzSKesmgQXAsqq671g=
=Gzs8
-----END PGP SIGNATURE-----
More information about the ubuntu-devel
mailing list