View previous topic :: View next topic |
Author |
Message |
tuxophil Tux's lil' helper
Joined: 29 Jun 2003 Posts: 80 Location: Diddeleng, Lëtzebuerg
|
Posted: Sun Jan 09, 2005 9:46 pm Post subject: quick and painless: dm-crypt encrypted swap |
|
|
Quick and painless: dm-crypt encrypted swap
Introduction
This mini-HOWTO is a complement to other HOWTOs on encrypting various parts of your system (like your /home or / partitions). I decided to encrypt my swap partitions after I found some of my passwords in them:
Code: | strings < /dev/swapdevice | grep mypassword |
Important: Do not try this command at home. The command, including your password, will be saved in root's .bash_history! If you really want to search for it, better pipe strings' output to less and use the pager's search functionality.
To make this HOWTO as short as possible I will just post my init script that I've been using for a few months now.
Some particularities of my approach are the following:
- independent of any encryption of /home or /
- the new dm-crypt interface is used
- support for multiple swap partitions
- nice integration in Gentoo's boot sequence
- very easy configuration
Please note that due to technical difficulties it's currently impossible to use encrypted swap files. More information can be found in this discussion on the dm-crypt mailing list.
Preliminaries
To use the device-mapper and the encryption based thereon (dm-crypt) you'll have to compile your kernel (at least 2.6.4) with the following options:
Device Drivers->Multi-device support (RAID and LVM)
Code: | [*] Multiple devices driver support (RAID and LVM)
<M> Device mapper support
<M> Crypt target support |
(The loopback support could be useful too, but not for encrypted swap.)
Cryptographic options
Code: | <M> AES cipher algorithms |
Of course, you are free to chose any cipher algorithm you like. You'll just have to adapt the cryptoswap configuration file.
After you've rebooted, emerge the device-mapper userspace tools and modprobe a cipher algorithm:
Code: | emerge device-mapper
modprobe aes |
Make sure your cipher algorithm is automatically loaded at startup:
Code: | echo aes >> /etc/modules.autoload.d/kernel-2.6 |
The init script
So, here's my init script. Save this as /etc/init.d/cryptoswap. Instructions within
Code: | #!/sbin/runscript
# cryptoswap 0.04
#
# This initscript uses the Device-Mapper and Crypto API of Linux >=2.6.4
# to create encrypted swap devices. Configuration is done in
# /etc/conf.d/cryptoswap.
# USING CRYPTOSWAP
# 1. Make sure your kernel is compiled with device-mapper and
# some cryptographic algorithms. Easiest is to compile them into
# the kernel. You also need sys-libs/device-mapper.
# 2. Turn off swapping for all your swap partitions
# e.g. swapoff /dev/hdb2
# 3. Remove all swap partitions from your /etc/fstab
# 4. Overwrite all swap partitions with random data from /dev/urandom
# dd if=/dev/urandom of=/dev/hdb2 bs=1M
# 5. Configure cryptoswap (/etc/conf.d/cryptoswap)
# 6. rc-update add cryptoswap boot
# 7. /etc/init.d/cryptoswap start
CIPHER=${CIPHER:-aes}
KEYSIZE=${KEYSIZE:-32}
DMSETUP=/sbin/dmsetup
CONF=/etc/conf.d/cryptoswap
depend() {
after urandom modules
}
# $1 = block device (e.g. /dev/hda2)
isswap () {
PART=`fdisk -l | grep "^$1 "`
[[ $PART == *Linux\ swap* ]]
}
cipheravailable() {
modprobe $1 &> /dev/null
# remove "mode" (e.g. plain, cbc, cbc-essiv-sha256)
grep "name *: *${1%%-*}" /proc/crypto >& /dev/null
}
start() {
if ! [ -r "$CONF" ] ; then
eerror "ERROR: Configuration file $CONF does not exist"
eerror " or cannot be read."
exit 1
fi
if ! [ -x $DMSETUP ] ; then
eerror "ERROR: The $DMSETUP executable cannot be found."
eerror " Please emerge sys-libs/device-mapper."
exit 2
fi
einfo "Setting up encrypted swap"
NBR=0
grep '^swap=' $CONF | while read SWAPLINE
do
swap="" pri="" cipher="" keysize=""
eval $SWAPLINE
ebegin " Setting up $swap as /dev/mapper/cryptoswap$NBR"
cipher=${cipher:-$CIPHER}
keysize=${keysize:-$KEYSIZE}
if ! cipheravailable "$cipher"; then
eerror "ERROR: The specified cipher $cipher is not available."
eend 1
continue
fi
if ! isswap "$swap"; then
ewarn "WARNING: $swap is not a swap partition. Skipping."
eend 1
continue
fi
if [[ ! -z "$pri" && $pri -ge 0 ]]
then OPTS="-p $pri";
else OPTS="";
fi
# make sure swap is turned off for $swap
swapoff $swap &> /dev/null
BLOCKS=`blockdev --getsize $swap`
HEXDIGITS=$(($keysize * 2))
KEY=`tr -cd 0-9a-f < /dev/urandom | head -c $HEXDIGITS`
echo 0 $BLOCKS crypt $cipher $KEY 0 $swap 0 \
| $DMSETUP create cryptoswap$NBR
mkswap /dev/mapper/cryptoswap$NBR > /dev/null
swapon $OPTS /dev/mapper/cryptoswap$NBR
eend $?
let ++NBR
done
if ! swapon -s | grep "/dev/mapper/cryptoswap" > /dev/null
then
eerror "ERROR: No encrypted swap devices were created!"
eerror " Please edit $CONF."
exit 3
fi
}
stop() {
einfo "Turning off encrypted swap"
# It's possible that the configuration file has changed.
# Therefore the configuration file is ignored and we simply
# remove all cryptoswap* mappings.
MAPPINGS=`ls /dev/mapper/cryptoswap* 2> /dev/null`
if [ -z "$MAPPINGS" ]; then
ewarn "WARNING: No cryptoswap mapping found."
exit 0
fi
for m in /dev/mapper/cryptoswap*; do
MAPDEV=${m#/dev/mapper/}
ebegin " removing $m"
swapoff $m
$DMSETUP remove $MAPDEV
eend $?
done
}
status () {
swapon -s
}
|
And the configuration file:
Code: | # /etc/conf.d/cryptoswap
# cryptoswap configuration file
# The configuration is simplistic: one line per swap device.
# The cipher and keysize (in bytes for coherence with /proc/crypto)
# can be set globally.
CIPHER=aes
KEYSIZE=16
# But it's also possible to override this default value on a per device
# basis. Here are some commented sample configuration lines:
#swap=/dev/hda1 pri=3 cipher=blowfish keysize=32
#swap=/dev/hdb2 pri=3 cipher=twofish
#swap=/dev/hda6 pri=1
# NOTES
# The used cipher must be available through the kernel Crypto API. To
# get a list of available algorithms: cat /proc/crypto
# Since this parameter is directly passed to dmsetup, it can also contain
# IV generation modes for CBC. Examples:
# aes, blowfish-cbc, twofish-cbc-essiv:sha256
# Please refer to http://www.saout.de/misc/dm-crypt/ for more information.
#
# Set the same priority for multiple devices to enable RAID0-like
# striping. (Should be faster.) See man 2 swapon for more details.
|
Well, that's it. If there are any corrections, improvements or comments, I'd be glad to hear about them.
References
dm-crypt homepage
dm-crypt wiki
Changelog
10.01.2005: Added warning not to enter a command containing passwords.
17.01.2005: Added error checking, improved flexibility (swap priority).
23.01.2005: Added note about encrypted swap files.
Last edited by tuxophil on Sun Jan 23, 2005 10:32 am; edited 3 times in total |
|
Back to top |
|
|
Vanquirius Retired Dev
Joined: 14 Jun 2002 Posts: 1297 Location: Ethereal plains
|
Posted: Mon Jan 10, 2005 1:23 am Post subject: |
|
|
Very nice, thanks. _________________ Hello. |
|
Back to top |
|
|
Bluepixel n00b
Joined: 10 Sep 2003 Posts: 11
|
Posted: Mon Jan 10, 2005 8:18 am Post subject: |
|
|
I will use that next time I start from scratch. Thanks for posting this! |
|
Back to top |
|
|
gaboonal n00b
Joined: 05 Mar 2004 Posts: 49
|
Posted: Wed Jan 12, 2005 7:54 pm Post subject: |
|
|
I copied the init script directly from your post, edited /etc/conf.d/cryptoswap and then ran "/etc/init.d/cryptoswap start". This failed with the following output: "* ERROR: "/etc/init.d/cryptoswap" has syntax errors in it; not executing..." Unfortunately it did not specify the line in which these syntax errors exist.
I have not modified the file in any way since copying it from the post so I am assuming that other people will have had the same problem. |
|
Back to top |
|
|
tuxophil Tux's lil' helper
Joined: 29 Jun 2003 Posts: 80 Location: Diddeleng, Lëtzebuerg
|
Posted: Wed Jan 12, 2005 8:42 pm Post subject: |
|
|
gaboonal wrote: | I copied the init script directly from your post, edited /etc/conf.d/cryptoswap and then ran "/etc/init.d/cryptoswap start". This failed with the following output: "* ERROR: "/etc/init.d/cryptoswap" has syntax errors in it; not executing..." Unfortunately it did not specify the line in which these syntax errors exist.
I have not modified the file in any way since copying it from the post so I am assuming that other people will have had the same problem. |
This seems to be a phpbb bug
The problem is that when copying a text file to the forums, phpbb generates crappy code that introduces superfluous spaces. This breaks line continuation. Let's have a look at an example:
Code: | KEY=`dd if=/dev/urandom count=8 bs=1 2> /dev/null \
| md5sum - | head -c $HEXDIGITS` |
Here, there is a newline immediately after the backslash in my code. However the HTML code generated by phpbb looks like this (I removed some ):
Code: | KEY=`dd if=/dev/urandom count=8 bs=1 2> /dev/null \
<br />
| md5sum - | head -c $HEXDIGITS`
<br /> |
The newline between the backslash and the <br /> tag is considered as a space by your browser. This additional space breaks the script.
To cut a long story short: there should be no trailing whitespaces!
To correct this, just filter your file through perl:
Code: | perl -p -i -e 's/ $//' /etc/init.d/cryptoswap |
|
|
Back to top |
|
|
gaboonal n00b
Joined: 05 Mar 2004 Posts: 49
|
Posted: Wed Jan 12, 2005 9:29 pm Post subject: |
|
|
Thanks, it's working now. |
|
Back to top |
|
|
lysergicacid Guru
Joined: 25 Nov 2003 Posts: 352 Location: The Universe,Virgo Super Cluster,Milky Way,Earth
|
Posted: Sun Jan 23, 2005 5:07 am Post subject: |
|
|
anyone know how to get this to work with a file as swap plz ? Code: | -(root@lysergicacid:0)-(39 files:2.4M@~)-(0 jobs)-(05:11)-
-(~:#)-> /etc/init.d/cryptoswap start
* Setting up encrypted swap
* Setting up /mnt/swap/swap.img as /dev/mapper/cryptoswap0 ...
* WARNING: /mnt/swap/swap.img is not a swap partition. Skipping. [ !! ]
* ERROR: No encrypted swap devices were created!
* Please edit /etc/conf.d/cryptoswap.
| plz ? tried several variations of this kinda script / setup and neither work _________________ [img]http://valid.canardpc.com/cache/banner/2040927.png[/img]
Desktop:
[img]http://valid.canardpc.com/cache/banner/2703952.png[/img] |
|
Back to top |
|
|
ghettodev n00b
Joined: 23 Jan 2005 Posts: 11
|
Posted: Sun Jan 23, 2005 8:30 am Post subject: |
|
|
Nice job.
One question though, how can I verify that the swap is actually being encrypted? I've run the 'strings' command you posted above on common words and havent come up with anything but is there a more stringent test? |
|
Back to top |
|
|
tuxophil Tux's lil' helper
Joined: 29 Jun 2003 Posts: 80 Location: Diddeleng, Lëtzebuerg
|
Posted: Sun Jan 23, 2005 10:05 am Post subject: don't use encrypted swap files. |
|
|
lysergicacid wrote: | anyone know how to get this to work with a file as swap plz ? |
Due to technical reasons it's extremely difficult to have an encrypted swap file. Currently there's no safe way to do it. I won't go into details; I'll just refer you to this very interesting discussion on the dm-crypt mailing list.
To make it short: encrypted swap files will freeze your system. |
|
Back to top |
|
|
tuxophil Tux's lil' helper
Joined: 29 Jun 2003 Posts: 80 Location: Diddeleng, Lëtzebuerg
|
Posted: Sun Jan 23, 2005 10:27 am Post subject: |
|
|
ghettodev wrote: | One question though, how can I verify that the swap is actually being encrypted? I've run the 'strings' command you posted above on common words and havent come up with anything but is there a more stringent test? |
Well, first check the output of to see if only /dev/mapper/cryptoswap* devices are used. Then you can use (or dmsetup table devname) to show the details of the mapping(s). There you'll see that the crypt target is used, and with which cipher. (The encryption key is also shown.) |
|
Back to top |
|
|
ghettodev n00b
Joined: 23 Jan 2005 Posts: 11
|
Posted: Sun Jan 23, 2005 12:29 pm Post subject: |
|
|
Looks like it did the trick, watching Code: | strings < /dev/swapdevice | for a few mintues convinced me as well |
|
Back to top |
|
|
lysergicacid Guru
Joined: 25 Nov 2003 Posts: 352 Location: The Universe,Virgo Super Cluster,Milky Way,Earth
|
|
Back to top |
|
|
Pjotrek n00b
Joined: 13 Jul 2006 Posts: 8 Location: Far out in the wild forests of Sweden
|
Posted: Tue Feb 06, 2007 10:04 pm Post subject: Problem with raid and lvm! |
|
|
Hi!
Thanks for your nice script, it is a beauty. However, when using swap on raid or lvm(2), there is a problem.
The routine isswap fails in these cases - Code: | fdisk -l | grep "^$1 " | gives something like:
Code: | Disk /dev/md1 doesn't contain a valid partition table
Warning: ignoring extra data in partition table 5
Warning: ignoring extra data in partition table 5
Warning: ignoring extra data in partition table 5
Warning: invalid flag 0x39b3 of partition table 5 will be corrected by w(rite)
Disk /dev/md2 doesn't contain a valid partition table
Disk /dev/sdc doesn't contain a valid partition table
|
I worked around that for now by disabling the check, but, of course, that is dangerous to say the least.
Any ideas how to modify the test?
/PjK |
|
Back to top |
|
|
tuxophil Tux's lil' helper
Joined: 29 Jun 2003 Posts: 80 Location: Diddeleng, Lëtzebuerg
|
Posted: Tue Feb 06, 2007 10:30 pm Post subject: Re: Problem with raid and lvm! |
|
|
Pjotrek wrote: | Thanks for your nice script, it is a beauty. | Thanks
Pjotrek wrote: | I worked around that for now by disabling the check, but, of course, that is dangerous to say the least.
Any ideas how to modify the test?
/PjK |
I'm not sure it's even possible to work around this issue. As far as I know, the partition type (as given by fdisk) has only informative character and is of no practical significance. As such I don't think there's an equivalent for LVM volumes. After all, in both cases the only thing that counts are the block devices themselves and the filesystem which is used.
Of course, since this external information is available in the case of normal devices it's a good idea to include a little sanity check, but you probably won't have any problems without it. Just be careful when you're changing your logical volumes/filesystems/swap devices... |
|
Back to top |
|
|
jagomai n00b
Joined: 05 Jan 2008 Posts: 38
|
Posted: Wed Jan 16, 2008 1:39 pm Post subject: |
|
|
Hello, the script looks very good!
After setup, however, I get this when I start the script:
Code: |
* Setting up encrypted swap
* Setting up /dev/hda2 as /dev/mapper/cryptoswap0 ...
Disk /dev/dm-0 doesn't contain a valid partition table
Disk /dev/dm-1 doesn't contain a valid partition table
Disk /dev/dm-2 doesn't contain a valid partition table [ ok ]
|
But when I do "swapon -s", I get
Code: |
# swapon -s
Filename Type Size Used Priority
/dev/mapper/cryptoswap0 partition 2008116 0 -2
|
And "dmsetup table | grep swap" gives me:
Code: |
# dmsetup table | grep swap
crypt-swap: 0 4016250 crypt twofish-cbc-plain 0000000000000000000000000000000000000000000000000000000000000000 0 3:2 0
cryptoswap0: 0 4016250 crypt twofish-cbc-plain 0000000000000000000000000000000000000000000000000000000000000000 0 3:2 0
|
Is all of this normal? And are all those zeroes normal? I want to make sure the thing is actually well encrypted.
Thanks for any help. |
|
Back to top |
|
|
woZa Guru
Joined: 18 Nov 2003 Posts: 340 Location: The Steel City - UK
|
Posted: Mon Mar 31, 2008 3:35 pm Post subject: |
|
|
This seems to be broken for me...
Code: | /etc/init.d/cryptoswap start |
Code: | * Caching service dependencies ... [ ok ]
* Setting up encrypted swap
* Setting up /dev/sda3 as /dev/mapper/cryptoswap0 ...
Disk /dev/dm-0 doesn't contain a valid partition table
Disk /dev/dm-1 doesn't contain a valid partition table
Disk /dev/dm-2 doesn't contain a valid partition table
Disk /dev/dm-3 doesn't contain a valid partition table
Disk /dev/dm-4 doesn't contain a valid partition table
Disk /dev/dm-5 doesn't contain a valid partition table
Disk /dev/dm-6 doesn't contain a valid partition table
Disk /dev/dm-7 doesn't contain a valid partition table
* WARNING: /dev/sda3 is not a swap partition. Skipping. [ !! ]
* ERROR: No encrypted swap devices were created!
* Please edit /etc/conf.d/cryptoswap.
* DO NOT USE EXIT IN INIT.D SCRIPTS
* This IS a bug, please fix your broken init.d |
Have followed all the info in the init.d file...
Cheers
Alex _________________ A few months struggling with gentoo is better than a lifetime struggling with windoze! |
|
Back to top |
|
|
woZa Guru
Joined: 18 Nov 2003 Posts: 340 Location: The Steel City - UK
|
|
Back to top |
|
|
xces Guru
Joined: 11 Oct 2002 Posts: 515
|
Posted: Sat Apr 12, 2008 9:00 am Post subject: |
|
|
woZa wrote: | This seems to be broken for me... |
Uhm, just take a look at /etc/conf.d/cryptfs. Encrypted swap is supported out-of-the-box with sys-fs/cryptsetup-luks. |
|
Back to top |
|
|
|