Encrypted swap

It has been a while since I posted about encrypted partitions.  It is time for an updated post.  This time, I shall divide the discussion into several posts.  This one will be about encrypted swap, using a random key.

Why encrypt swap?

Crypto leaks.  When you are using encryption, there is often an unencrypted copy of the data in memory or perhaps in a temporary file.  What is in memory can sometimes be swapped out to your disk (the swap partition).  This might not matter if nobody else has access to your computer.  However, laptop computers are stolen and desktop computers eventually find their way to the junkyard or the recycling center.  By keeping swap encrypted, you reduced the risk of accidental release of information that should be private.

Using a random key

The main benefit to using a random key, is that you won’t be prompted to enter the key at every boot.  This is particularly important for a system that must be able to boot unattended.

The main disadvantage of using a random key, is that hibernation won’t work.  In linux, hibernation is achieved by saving memory content to swap, then restoring it on the next boot.  But since swap is encrypted with a random key, and that key is different for each boot, the hibernation data won’t be readable when needed.  If you need hibernation, then you will need a fixed key and in most cases you will have to enter that key on reboot.  The setup for swap with a fixed key is similar to the setup for Luks encryption of a partition.  I’ll cover that in a future post.  Check my crypto page for links.

How it works

The basic encryption uses dm-crypt, which is supported by the linux kernel.  Data is encrypted as it is physically written to disk and decrypted as it is physically read from disk.  Most operations on the computer see only unencrypted data, but what is stored in the disk is encrypted.

The cost is a little additional computational overhead for each disk read/write operation.  If your system is short on memory and does a lot of swapping, that might be a significant cost.  For most systems, the cost will be small.

Setup during install

The easiest way to setup encrypted swap, at least with opensuse, is to do it during an install.  During the disk partitioning part of the install, choose to edit the partition setup.  Then edit the partition entry for swap.  Set it to “format partition” and “encrypt partition?”  You will be asked for an encryption key, and to confirm that key.  Just hit enter without typing a key.  That specifies that no key is to be used, and the installer understands that to imply that a random key be generated on each boot.

That’s about all there is to it.  When you have completed the install, you will be using an encrypted swap.

Manual setup

It is also fairly easy to manually setup encrypted swap.  You will need to be root to carry out these steps.

First find out which partition you are using for swap

# grep swap /etc/fstab
/dev/disk/by-id/some-gobbledygook-part3   swap   swap  defaults  0 0

That shows the partition name for your current swap partition.  In my case, the device name is “/dev/sdb3”, but the system knows it by its device ID.

Next, comment out that line of “/etc/fstab” by inserting the “#” character at the start of the line.

The third step is to edit “/etc/crypttab”.  That file might not exist, in which case you will have to create it.  I use “vi” (really “vim”) to edit the file, though “kwrite” or “gedit” should be fine.  You will want to add a line similar to the following to “/etc/crypttab”:

cr_sdb3 /dev/disk/by-id/some-gobbledygook-part3 /dev/urandom  swap

Don’t use the partition name that I just gave.  Instead, copy the partition name exactly as you found it in “/etc/fstab”.  The first entry in that crypttab line, which I show as “cr_sdb3”, is just a symbolic name for the partition.  You could use “cr_swap” if you wish, to remind you that this is swap, with the “cr_” part there to remind you that it uses crypto.  Or, if you know the device name for the partition, then use “cr_device”, as in “cr_sdb3” or “cr_sda8”.  If you are not sure of the device name, then use “cr_swap”.

The third entry on that line specifies that a random key is to be used.  And the fourth entry (the word “swap”) indicates that the partition is to be formatted for swap after setting up for encryption.  This formatting is done on each boot.

The fourth step is to edit “/etc/fstab” again, to change the swap line to your newly created encrypted swap device.  You can either edit the existing line, then uncomment so that it is again active.  Or you can duplicate the line as an uncommented line.  The only change will be to change the device name to “/dev/mapper/cr_swap”, except that instead of “cr_swap” you use whatever is in that first field of the “/etc/crypttab” line.

The updated swap line line will look like:

/dev/mapper/cr_swap   swap   swap   defaults  0 0

The final step is to reboot.  You could do it without rebooting, but it is easier at this stage to reboot.  If you wanted to do without rebooting the steps would be:

  • swapoff -a  ### discontinue using swap
  • cryptsetup operands ### check the man pages for details
  • swapon -a  ### start using the newly defined swap

That was intended to be just enough detail so that you can see why it is easier to reboot.

After reboot, then use the “free” command to make sure that you still have swap available, and use “ls /dev/mapper” to check that the encryption has been configured.

A note on Luks

If you had previously used Luks with your swap partition, the above probably won’t work.  The reason is that the Luks header will be detected, and the system will attempt to setup the partition for Luks encryption.  And that won’t work with a random key.  If you think that’s a possibility, then write some garbage over the partition (say 100 blocks from “/dev/zero”, but only after first making sure that the partition is not in use.

Mounting “/tmp” from swap

I recommend one final step, and that is to mount “/tmp” from swap.  Add a line near the end of “/etc/fstab”

none   /tmp   tmpfs    defaults   0 0

and you should be set after another reboot. That will take care of any leakage of private info to files in “/tmp”.



About Neil Rickert

Mathematician and computer scientist who dabbles in cognitive science.

4 responses to “Encrypted swap”

  1. Tony C says :

    Thanks for this easy to follow guide. I just set it on my Open Suse 13.1 installation and it works fine.


Trackbacks / Pingbacks

  1. Cifrar Swap | Blog de NotFromBrooklyn - 2015/05/26
  2. Cifrar Swap | Archero - 2015/05/28

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: