It has been a while since I posted about encrypted partitions. It is time for an updated post. This time, I shall divide the discussion into several posts. This one will be about encrypted swap, using a random key.
Why encrypt swap?
Crypto leaks. When you are using encryption, there is often an unencrypted copy of the data in memory or perhaps in a temporary file. What is in memory can sometimes be swapped out to your disk (the swap partition). This might not matter if nobody else has access to your computer. However, laptop computers are stolen and desktop computers eventually find their way to the junkyard or the recycling center. By keeping swap encrypted, you reduced the risk of accidental release of information that should be private.
Using a random key
The main benefit to using a random key, is that you won’t be prompted to enter the key at every boot. This is particularly important for a system that must be able to boot unattended.
The main disadvantage of using a random key, is that hibernation won’t work. In linux, hibernation is achieved by saving memory content to swap, then restoring it on the next boot. But since swap is encrypted with a random key, and that key is different for each boot, the hibernation data won’t be readable when needed. If you need hibernation, then you will need a fixed key and in most cases you will have to enter that key on reboot. The setup for swap with a fixed key is similar to the setup for Luks encryption of a partition. I’ll cover that in a future post. Check my crypto page for links.
How it works
The basic encryption uses dm-crypt, which is supported by the linux kernel. Data is encrypted as it is physically written to disk and decrypted as it is physically read from disk. Most operations on the computer see only unencrypted data, but what is stored in the disk is encrypted.
The cost is a little additional computational overhead for each disk read/write operation. If your system is short on memory and does a lot of swapping, that might be a significant cost. For most systems, the cost will be small.
Setup during install
The easiest way to setup encrypted swap, at least with opensuse, is to do it during an install. During the disk partitioning part of the install, choose to edit the partition setup. Then edit the partition entry for swap. Set it to “format partition” and “encrypt partition?” You will be asked for an encryption key, and to confirm that key. Just hit enter without typing a key. That specifies that no key is to be used, and the installer understands that to imply that a random key be generated on each boot.
That’s about all there is to it. When you have completed the install, you will be using an encrypted swap.
It is also fairly easy to manually setup encrypted swap. You will need to be root to carry out these steps.
First find out which partition you are using for swap
# grep swap /etc/fstab /dev/disk/by-id/some-gobbledygook-part3 swap swap defaults 0 0
That shows the partition name for your current swap partition. In my case, the device name is “/dev/sdb3”, but the system knows it by its device ID.
Next, comment out that line of “/etc/fstab” by inserting the “#” character at the start of the line.
The third step is to edit “/etc/crypttab”. That file might not exist, in which case you will have to create it. I use “vi” (really “vim”) to edit the file, though “kwrite” or “gedit” should be fine. You will want to add a line similar to the following to “/etc/crypttab”:
cr_sdb3 /dev/disk/by-id/some-gobbledygook-part3 /dev/urandom swap
Don’t use the partition name that I just gave. Instead, copy the partition name exactly as you found it in “/etc/fstab”. The first entry in that crypttab line, which I show as “cr_sdb3”, is just a symbolic name for the partition. You could use “cr_swap” if you wish, to remind you that this is swap, with the “cr_” part there to remind you that it uses crypto. Or, if you know the device name for the partition, then use “cr_device”, as in “cr_sdb3” or “cr_sda8”. If you are not sure of the device name, then use “cr_swap”.
The third entry on that line specifies that a random key is to be used. And the fourth entry (the word “swap”) indicates that the partition is to be formatted for swap after setting up for encryption. This formatting is done on each boot.
The fourth step is to edit “/etc/fstab” again, to change the swap line to your newly created encrypted swap device. You can either edit the existing line, then uncomment so that it is again active. Or you can duplicate the line as an uncommented line. The only change will be to change the device name to “/dev/mapper/cr_swap”, except that instead of “cr_swap” you use whatever is in that first field of the “/etc/crypttab” line.
The updated swap line line will look like:
/dev/mapper/cr_swap swap swap defaults 0 0
The final step is to reboot. You could do it without rebooting, but it is easier at this stage to reboot. If you wanted to do without rebooting the steps would be:
- swapoff -a ### discontinue using swap
- cryptsetup operands ### check the man pages for details
- swapon -a ### start using the newly defined swap
That was intended to be just enough detail so that you can see why it is easier to reboot.
After reboot, then use the “free” command to make sure that you still have swap available, and use “ls /dev/mapper” to check that the encryption has been configured.
A note on Luks
If you had previously used Luks with your swap partition, the above probably won’t work. The reason is that the Luks header will be detected, and the system will attempt to setup the partition for Luks encryption. And that won’t work with a random key. If you think that’s a possibility, then write some garbage over the partition (say 100 blocks from “/dev/zero”, but only after first making sure that the partition is not in use.
Mounting “/tmp” from swap
I recommend one final step, and that is to mount “/tmp” from swap. Add a line near the end of “/etc/fstab”
none /tmp tmpfs defaults 0 0
and you should be set after another reboot. That will take care of any leakage of private info to files in “/tmp”.