Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Encrypt your swap devices, the safe and easy way
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3, 4, 5  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Fri Jan 14, 2005 10:36 am    Post subject: Encrypt your swap devices, the safe and easy way Reply with quote

"Howdy" folks, ;)

To make a long story short: I've been reading lots of posts on this forum on how to enhance the security on Linux using encrypted swap devices, but found no guide or script that was easy yet "complex" enough for me. They all required you to either know in advance which partitions to encrypt (something that might change between reboots, thus f*cking up your newly connected device's partitions) or required using old obscure loop devices. Thus I started to write my own script which encrypts all available mounted swap devices at boot using "Device Mapper". The script is also able to modprobe the necessary cipher modules, in case they aren't available when running the service.

Why encrypted swap devices?

Everytime you log onto your computer the password is sent to PAM (Pluggable Authentication Module), which in turn encodes the password using a special algorithm. The encoded password is then compared to other pre-encoded passwords in a hidden database, and if it's a match - grants you the access to your user. And here lies the problem: PAM stores the password in plain text in the memory. Although the password is quite (very) safe within the memory, it can turn into a huge security problem if the memory residing the password(s) is cached to the swap device. An unauthorized user can then scan the swap devices for available passwords and, in worst case, gain full access to your system. This is something we don't want (don't we? ;)).

The solution is not so difficult as one might believe. Simply encrypt the swap devices using random pass-phrases that the root user(s) doesn't even have access to. Each swap device gets its own random pass-phrase every time it's mounted/enabled, so the pass-phrase is never the same (well, it could happend, but the likelyhood/risk is extremely small). This ensures that most people won't be able to read the data on the swap devices. (It is however not possible to protect your swap devices in case someone has the ability to directly read your kernel memory [correct me if I'm wrong], and if someone do, no non-military hardware in the world is going to protect your data. We're talking about encryption down to CPU process levels here)

What do I need to enable swap encryption?

Well, you need a Linux kernel with LVM/Device Mapper and cryptographic support. You'll also need two applications (device-mapper and cryptsetup). Besides that you need to have compiled your own kernel before and also have one or more working swap devices set up in /etc/fstab ...

This guide is first and foremost written for Gentoo Linux using a 2.6 kernel. But it should work on other distributions too, with some modifications to the script setup. It should also work with some newer versions of Linux 2.4, but I haven't tried it personally.

---

Step 1:

Compile the Linux kernel with support for LVM/Device Mapper and cryptographic suppport.

Code:

$ su -
(Type your root password)
$ cd /usr/src/linux
(Make sure that /usr/src/linux points to your kernel source directory)
$ make menuconfig


Kernel configuration:

Code:

Device Drivers ---> Multi-device support (RAID and LVM) --->

[*] Multiple devices driver support (RAID and LVM)
<M>   Device mapper support
<M>     Crypt target support

Cryptographic options --->

<M>   AES cipher algorithms


Code:

$ mount /boot
(If you have /boot on a separate partition)
$ make && make modules_install install && modules-update
$ echo "dm-mod" >> /etc/modules.autoload.d/kernel-2.6
$ exit


Step 2:

Install the necessary applications.

Code:

$ sudo emerge device-mapper cryptsetup-luks


Step 3:

Install the service script.

Code:

$ su -
$ cd /usr/src/
$ wget http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r19.tgz
$ wget http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r19.tgz.md5
$ md5sum -c swap-encryption-r19.tgz.md5
$ tar xvfz swap-encryption-r19.tgz
$ cd swap-encryption-r19
$ make install
$ rc-update add swap-encryption default
$ exit


Step 4:

Reboot the computer for Device Mapper (the kernel part) to work.

Code:

$ sudo /sbin/shutdown -r now


---

That's all folks... :P From now on, your swap devices will be automatically encrypted if they are valid swap devices mounted/enabled from /etc/fstab or by hand.

---

This document is under the "Creative Commons - Attribution / Share Alike" licens. ( http://creativecommons.org/licenses/by-sa/2.0/ )

---

By the way, here's the script code for 1.1.10. In case you don't want to download it, just to read it. (Remember, it might not always be up-to-date. Look for the link in the guide to get the latest version. It was version 1.2.1 by the time this post was last edited.)

Code:

#!/sbin/runscript

# Copyright 2005, Fredrik Blom - hdp03bfr"at"syd.kth.se
# Distributed under the terms of the GNU General Public License v2

# Ver 1.1.10 2005-01-14

# This script searches for all active swap devices and encrypts them
# via "Device Mapper". Why would anyone want that? Because systems like
# PAM (Pluggable Authentication Module) stores passwords in plain text
# within the computer RAM, and if the memory is filled up, some parts
# might get moved to the swap (devices/partitions) where it can easily
# be retrieved. By encrypting the swap, you'll add an extra layer of
# security to your Linux system.



# Known problems:
#  - Can't reinitialize a encrypted device if it wasn't properly
#    shut down. To do so, please "redo" the swap device with mkswap
#    and swapon and then start the service.



# The cipher algorithm you want to use for the swap encryption
# Default: aes
# (AES is a very strong, military grade cipher algorithm, with
# only ~2-3% processing overhead.
# See: http://csrc.nist.gov/CryptoToolkit/aes/ )
CIPHER=aes

# If you're extra paranoid, enable this to fill the swap devices
# with random garbage when stopping the service. Warning: It
# may take quite a long time to stop the service with this
# option enabled depending on the size and speed of the swap
# devices. It should go faster on VIA Epia processors and similar
# with hardware accelerated encryption, through quantum mechanics,
# thermal noise, radiation, etc.
#
# Warning: Enabling this while using grsecurity with "Larger
#          entropy pools", will consume huge amounts of memory.
#          So make sure that you have more than 512 MB of memory
#          before using this.
#          If you don't know what grsecurity is, you don't have it.
#
# Default: 0
PARANOIA_MODE=0



# Don't change these three variables
DM_MAPPER=/dev/mapper/
DM_NAME=swap
MAX_KEYSIZE=1024

depend() {
   need urandom
   after urandom modules
}

encrypt_device() {
   # Synopsis: <device-string> <device-mapper-string> <key-string>
   # Description: 1. Disables the active swap device.
   #              2. Creates a new encrypted device
   #              3. Converts the encrypted device to swap storage
   #              4. Enables the newly encrypted swap device
   #
   # TODO/FIXME: Should we initialize the newly encrypted swap device
   #             using the same priority as the original non-
   #             encrypted device? All drives gets the same priority
   #             at the moment (bad idea?)

   swapoff $1
   echo "$3" | cryptsetup -c $CIPHER create "${2#$DM_MAPPER}" "$1"
   mkswap $2 > /dev/null
   swapon -p 0 $2

   eend $?
}

restore_device() {
   # Synopsis: <device-mapper-string>
   # Description: 1. Disables the active DM swap device
   #              2. Removes the DM device
   #              3. If PARANOIA_MODE is enabled, fills the
   #                 original device with garbage data
   #              4. Convert the original device to swap storage
   #              5. Re-enables the old non-encrypted swap device
   #
   # TODO/FIXME: Should we restore the swap devices with the same
   #             priority as they had when they were encrypted?
   #             All devices get the same priority at the moment,
   #             which might not be the best solution. Please
   #             enlighten me, for I don't really know.

   dev="/dev/${1#$DM_MAPPER$DM_NAME}"

   einfo "  Restoring $1 as $dev"

   swapoff $1
   dmsetup remove $1

   if [ $PARANOIA_MODE -eq 1 ]
   then
      einfo "    Paranoia mode on $dev"
      dd if=/dev/urandom of=$dev bs=1M 2>/dev/null
      einfo "    Garbage data written"
   fi

   mkswap $dev > /dev/null
   swapon -p 0 $dev

   eend $?
}

find_cipher() {
   # Description: Searches for the requested cipher. Try to
   #              modprobe it if it's not found.
   #
   # TODO/FIXME: There must be some way to make this code
   #             look better while being faster. Bash is
   #             very flexible, but I'm still learning things.

   if [ -z "`grep "$CIPHER" /proc/crypto | \
   while read ciphers
   do
      echo "$ciphers"
   done`" ]
   then
      ewarn "  Cipher \"$CIPHER\" not found. Trying to modprobe"
      modprobe "$CIPHER" 2>/dev/null
   fi

   eend $?
}

get_keysize() {
   # Synopsis: <empty-string>
   # Description: Scans /proc/crypto for the maximum requested
   #              cipher key size
   #
   # TODO/FIXME: Speed up the scan by using more efficient code

   found=0

   eval "$1=\"`cat /proc/crypto | \
   while read ciphers
   do
      if echo $ciphers | grep -q "$CIPHER"
      then
         found=1
      fi

      if [ $found -eq 1 ]
      then
         if echo $ciphers | grep -q "max keysize"
         then
            echo $ciphers | awk '{print $4}'
         fi
      fi
   done`\""

   eend $?
}

generate_key() {
   # Synopsis: <empty-string>
   # Description: Pipe data from the *nix urandom device to
   #              base64. By doing so, creating a keystring
   #              used for device encryption.
   #
   # Notice: Maximum keysize = 1024 bytes

   einfo "    Generating key"

   eval "$1=\"`head -c 747 /dev/urandom | base64 | tail -c $keysize`\""

   eend $?
}

activate() {
   # Synopsis: <device-string>
   # Description: 1. Generate a keystring for the particular
   #                 swap device that we wish to encrypt
   #              2. Encrypt the device using the keystring
   #                 and requested cipher

   einfo "  Found swap device $1"

   key=""
   generate_key key

   ewarn "$key"

   einfo "    Encrypting device as $DM_MAPPER$DM_NAME${1#/dev/}"

   encrypt_device "$1" "$DM_MAPPER$DM_NAME${1#/dev/}" "$key"

   eend $?
}

start() {
   # Description: 1. Search /proc/crypto and see if the requested
   #                 cipher is available.
   #              2. Retrieve the maximum keysize used for the
   #                 device encryption.
   #              3. Scan the system for active swap devices and
   #                 encrypt them.
   #
   # TODO/FIXME: Place the if-test within the function get_keysize?

   ebegin "Enabling swap encryption"

   find_cipher
   keysize=""
   get_keysize keysize

   if [ "$keysize" -gt "$MAX_KEYSIZE" ]
   then
      ewarn "  Requested keysize is too large, correcting..."
      keysize=$MAX_KEYSIZE
   fi

   grep '/' /proc/swaps | \
   while read devices
   do

      if echo $devices | grep -qv "$DM_MAPPER"
      then
         activate $devices
      fi
   done

   eend $?
}

stop() {
   # Description: Scan system for active encrypted DM swap
   #              devices and disable them, while restoring
   #              the old ones.

   ebegin "Restoring encrypted swap devices"

   grep "$DM_MAPPER$DM_NAME" /proc/swaps | \
   while read devices
   do
      restore_device $devices
   done

   eend $?
}

restart() {
        # Description: Restart the service

        ebegin "Restarting swap encryption"
        svc_stop
        svc_start

        eend $?
}



# Changelog:

# 1.1.10 2005-01-14
# - Changed so generate_key can output a maximum of 1024
#   bytes instead of the previous 32 bytes. The old method
#   used md5sum while the new one uses base64. 1024 bytes
#   should be sufficiant for most ciphers.
#   I'd like to thank "MaDsKiLLz" on the Gentoo Forums
#   for the help with generating larger keys.

# 1.1.9 2005-01-14
# - Small changes to the if-test that makes sure that the
#   key length isn't too long.
# - Fixed some of the function comments

# 1.1.8 2005-01-14
# - get_keysize doesn't search for the minium pass-phrase
#   lenght anymore, instead it looks for the maximum length.
#   Although it still can't handle pass-phrases longer than
#   32 bytes.

# 1.1.7 2005-01-14
# - Added some todo/fix comments.

# 1.1.6 2005-01-13
# - Script doesn't re-read /proc/crypto anymore (to search
#   for the minimum keysize each time a new pass-phrase is
#   generated).

# Earlier versions:
# No changelog available

_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)


Last edited by Sachankara on Sun Jul 09, 2006 3:51 pm; edited 29 times in total
Back to top
View user's profile Send private message
rkrenzis
Tux's lil' helper
Tux's lil' helper


Joined: 22 Jul 2004
Posts: 135
Location: USA

PostPosted: Fri Jan 14, 2005 12:05 pm    Post subject: aes-i586 add to your autoload config... Reply with quote

Don't forget to add the "aes-i586" module to your autoload config.

File: /etc/modules.autoload.d/kernel-2.6

Otherwise the script will fall flat on its face. Possibly an enhancement request to the script writer to modprobe for aes-i586.

Otherwise the directions work great!
Back to top
View user's profile Send private message
angelacb
n00b
n00b


Joined: 31 Oct 2003
Posts: 50

PostPosted: Fri Jan 14, 2005 12:29 pm    Post subject: Reply with quote

Neat script. I used to just put a few commands in local.start and local.stop.

Nice howto by the way.

Best Regards,
_________________
Love Linux, Love Life
Back to top
View user's profile Send private message
BlackEdder
Advocate
Advocate


Joined: 26 Apr 2004
Posts: 2586
Location: Dutch enclave in Egham, UK

PostPosted: Fri Jan 14, 2005 2:01 pm    Post subject: Reply with quote

One note: for the 2.6 kernel you don't need all this:
Code:
make && make install && make modules && make modules_install && modules-update

Code:
make && make modules_install && make install
is enough
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Fri Jan 14, 2005 3:45 pm    Post subject: Re: aes-i586 add to your autoload config... Reply with quote

rkrenzis wrote:
Don't forget to add the "aes-i586" module to your autoload config.

File: /etc/modules.autoload.d/kernel-2.6

Otherwise the script will fall flat on its face. Possibly an enhancement request to the script writer to modprobe for aes-i586.

Otherwise the directions work great!
Hmm... :? In which version of Linux is the aes module called aes-i586? I have two computers running Linux 2.6.7 with the Gentoo Hardened patches, and the module is simply called "aes" on them. Would it be possible for you to post your output from /proc/crypto ?
angelacb wrote:
Neat script. I used to just put a few commands in local.start and local.stop.

Nice howto by the way.

Best Regards,
Thanks... :)

If you have any suggestions that might improve the script, please let me know.
BlackEdder wrote:
One note: for the 2.6 kernel you don't need all this:
Code:
make && make install && make modules && make modules_install && modules-update

Code:
make && make modules_install && make install
is enough
I know, I was just a bit too "paranoid". I think I'll change it the way you suggested. :) Although, I don't think there's any harm keeping "modules-update".
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
MaDsKiLLz
n00b
n00b


Joined: 14 Jan 2005
Posts: 3

PostPosted: Fri Jan 14, 2005 4:01 pm    Post subject: Reply with quote

if you want to use longer passwords you could use base64.



Code:

head -c 747 /dev/urandom | base64



this is how many bytes it'll print out
Code:

powerspec root # head -c 747 /dev/urandom | base64 | wc -c
1024
powerspec root


so that'll print out 1024 usable bytes

=)
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Fri Jan 14, 2005 4:45 pm    Post subject: Reply with quote

MaDsKiLLz wrote:
if you want to use longer passwords you could use base64.



Code:

head -c 747 /dev/urandom | base64



this is how many bytes it'll print out
Code:

powerspec root # head -c 747 /dev/urandom | base64 | wc -c
1024
powerspec root


so that'll print out 1024 usable bytes

=)
Thank you for the advice... I added it to the script... :)
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
tuxophil
Tux's lil' helper
Tux's lil' helper


Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg

PostPosted: Mon Jan 17, 2005 7:29 pm    Post subject: Reply with quote

MaDsKiLLz wrote:
if you want to use longer passwords you could use base64.
Code:

head -c 747 /dev/urandom | base64



Hmm, here's an easier method that doesn't require base64 (I don't even have that executable on my full blown desktop system!?): Just filter out unwanted characters with tr.
Try these:
Code:
tr -cd 0-9a-f < /dev/urandom | head -c 100
tr -cd [:graph:] < /dev/urandom | head -c 100


Cheers
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Tue Jan 18, 2005 9:20 am    Post subject: Reply with quote

gschintgen wrote:
MaDsKiLLz wrote:
if you want to use longer passwords you could use base64.
Code:

head -c 747 /dev/urandom | base64



Hmm, here's an easier method that doesn't require base64 (I don't even have that executable on my full blown desktop system!?): Just filter out unwanted characters with tr.
Try these:
Code:
tr -cd 0-9a-f < /dev/urandom | head -c 100
tr -cd [:graph:] < /dev/urandom | head -c 100


Cheers
Oh, very nice... :) I modified the script once more to use one of your methods which doesn't require base64...
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
pulverizer
n00b
n00b


Joined: 01 Sep 2003
Posts: 20

PostPosted: Fri Jan 21, 2005 1:36 pm    Post subject: Reply with quote

Nice script. However I get this error at boot:
Code:
Enabling swap encryption...
Found swap device /dev/ide/host0/bus0/target0/lun0/part2
  Generating key
/sbin/rc: eval: line 1: syntax error near unexpected token `&'
/sbin/rc: eval: line 1: `key=""!g}B+s>EK|&NB|(5LO/-TLxk!cZRB"3"'

*    Encrypting device as /dev/mapper/swapide/host0/bus0/target0/lun0/part2
Command failed: Invalid argument
/dev/mapper/swapide/host0/bus0/target0/lun0/part2: No such file or directory
swapon: cannot stat /dev/mapper/swapide/host0/bus0/target0/lun0/part2: No such file or directory

Any ideas? Thanks.
Back to top
View user's profile Send private message
lysergicacid
Guru
Guru


Joined: 25 Nov 2003
Posts: 352
Location: The Universe,Virgo Super Cluster,Milky Way,Earth

PostPosted: Sat Jan 22, 2005 3:10 am    Post subject: same prob here too Reply with quote

got almost the same prob
Code:
-(~:#)-> /etc/init.d/swap-encryption start
 * Enabling swap encryption ...                                                                                             [ ok ]
 *   Found swap device /mnt/swap/swap.img
 *     Generating key                                                                                                       [ ok ]
 * fpKHobOKT29q+KngAarY7NJdBCQ8MG
 *     Encrypting device as /dev/mapper/swap/mnt/swap/swap.img
Command failed: Invalid argument
/dev/mapper/swap/mnt/swap/swap.img: No such file or directory
swapon: cannot stat /dev/mapper/swap/mnt/swap/swap.img: No such file or directory                                           [ !! ]
&
/etc/init.d/swap-encryption: line 218: [: 32
56: integer expression expected
 *   Found swap device /mnt/swap/swap.img
 *     Generating key
tail: cannot open `56' for reading: No such file or directory                                       [ ok ]
 *
 *     Encrypting device as /dev/mapper/swap/mnt/swap/swap.img
Command failed: Invalid argument
/dev/mapper/swap/mnt/swap/swap.img: No such file or directory
swapon: cannot stat /dev/mapper/swap/mnt/swap/swap.img: No such file or directory                   [ !! ]
any ideas why plz somone i have the apps installed and modules loaded
Code:
 Module                  Size  Used by
aes_i586               39412  0
dm_mod                 64000  0
w83627hf               30432  0
blowfish                8512  0

Calculating dependencies ...done!
[ebuild   R   ] sys-libs/device-mapper-1.00.19-r1  0 kB
[ebuild   R   ] sys-fs/cryptsetup-0.1  0 kB


udev fs prob maybe ? permission or something ?
_________________
[img]http://valid.canardpc.com/cache/banner/2040927.png[/img]
Desktop:
[img]http://valid.canardpc.com/cache/banner/2703952.png[/img]
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Wed Jan 26, 2005 9:22 pm    Post subject: Re: same prob here too Reply with quote

pulverizer wrote:
Nice script. However I get this error at boot:
Code:
Enabling swap encryption...
Found swap device /dev/ide/host0/bus0/target0/lun0/part2
  Generating key
/sbin/rc: eval: line 1: syntax error near unexpected token `&'
/sbin/rc: eval: line 1: `key=""!g}B+s>EK|&NB|(5LO/-TLxk!cZRB"3"'

*    Encrypting device as /dev/mapper/swapide/host0/bus0/target0/lun0/part2
Command failed: Invalid argument
/dev/mapper/swapide/host0/bus0/target0/lun0/part2: No such file or directory
swapon: cannot stat /dev/mapper/swapide/host0/bus0/target0/lun0/part2: No such file or directory

Any ideas? Thanks.

lysergicacid wrote:
got almost the same prob
Code:
-(~:#)-> /etc/init.d/swap-encryption start
 * Enabling swap encryption ...                                                                                             [ ok ]
 *   Found swap device /mnt/swap/swap.img
 *     Generating key                                                                                                       [ ok ]
 * fpKHobOKT29q+KngAarY7NJdBCQ8MG
 *     Encrypting device as /dev/mapper/swap/mnt/swap/swap.img
Command failed: Invalid argument
/dev/mapper/swap/mnt/swap/swap.img: No such file or directory
swapon: cannot stat /dev/mapper/swap/mnt/swap/swap.img: No such file or directory                                           [ !! ]
&
/etc/init.d/swap-encryption: line 218: [: 32
56: integer expression expected
 *   Found swap device /mnt/swap/swap.img
 *     Generating key
tail: cannot open `56' for reading: No such file or directory                                       [ ok ]
 *
 *     Encrypting device as /dev/mapper/swap/mnt/swap/swap.img
Command failed: Invalid argument
/dev/mapper/swap/mnt/swap/swap.img: No such file or directory
swapon: cannot stat /dev/mapper/swap/mnt/swap/swap.img: No such file or directory                   [ !! ]
any ideas why plz somone i have the apps installed and modules loaded
Code:
 Module                  Size  Used by
aes_i586               39412  0
dm_mod                 64000  0
w83627hf               30432  0
blowfish                8512  0

Calculating dependencies ...done!
[ebuild   R   ] sys-libs/device-mapper-1.00.19-r1  0 kB
[ebuild   R   ] sys-fs/cryptsetup-0.1  0 kB


udev fs prob maybe ? permission or something ?
The script create keys which might contain characters like `, ' and " and thus it won't always work... I'll fix it in a sec... :)
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Wed Jan 26, 2005 9:29 pm    Post subject: Reply with quote

The new version with the key generation fix is available now... :)

http://joshua.haninge.kth.se/~sachankara/swap-encryption-1.1.13.tar.bz2
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Wed Jan 26, 2005 9:34 pm    Post subject: Reply with quote

Guess I was blind... Now I see your other problems, which I'll have to fix as soon as I can. (I sort of assumed everyone mapped their swap devices under /dev/<device>, which wasn't very bright. Perhaps I should just bump the script down to version 0.1... :P)
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
Hasw
n00b
n00b


Joined: 31 Dec 2004
Posts: 68
Location: Germany

PostPosted: Wed Jan 26, 2005 11:28 pm    Post subject: Re: aes-i586 add to your autoload config... Reply with quote

Sachankara wrote:
Hmm... :? In which version of Linux is the aes module called aes-i586? I have two computers running Linux 2.6.7 with the Gentoo Hardened patches, and the module is simply called "aes" on them. Would it be possible for you to post your output from /proc/crypto ?


IIRC aes-i586 only available since 2.6.8.1. If you using aes as disk encryption (not swap, unless you swap very much), you should use it, because it's lot faster than the not i586 optimized module.

Code:

server1 bin # cat /proc/crypto
name         : aes
module       : aes_i586
type         : cipher
blocksize    : 16
min keysize  : 16
max keysize  : 32
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Wed Jan 26, 2005 11:44 pm    Post subject: Reply with quote

Sachankara wrote:
Guess I was blind... Now I see your other problems, which I'll have to fix as soon as I can. (I sort of assumed everyone mapped their swap devices under /dev/<device>, which wasn't very bright. Perhaps I should just bump the script down to version 0.1... :P)
Quoting myself, ehh... :) Anyway, a new version is now available with the bugfix which makes the script able to encrypt all sorts of swap devices. The only devices it won't mount are under /dev/mapper...

http://joshua.haninge.kth.se/~sachankara/swap-encryption-1.1.14.tar.bz2
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Wed Jan 26, 2005 11:46 pm    Post subject: Re: aes-i586 add to your autoload config... Reply with quote

Hasw wrote:
Sachankara wrote:
Hmm... :? In which version of Linux is the aes module called aes-i586? I have two computers running Linux 2.6.7 with the Gentoo Hardened patches, and the module is simply called "aes" on them. Would it be possible for you to post your output from /proc/crypto ?


IIRC aes-i586 only available since 2.6.8.1. If you using aes as disk encryption (not swap, unless you swap very much), you should use it, because it's lot faster than the not i586 optimized module.

Code:

server1 bin # cat /proc/crypto
name         : aes
module       : aes_i586
type         : cipher
blocksize    : 16
min keysize  : 16
max keysize  : 32
Ah, I'll look into it. See if I can implement several ciphers into the script tomorrow...

Edit: Actually, modprobing "aes" on 2.6.10 runs "aes-i586" automatically...
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
lysergicacid
Guru
Guru


Joined: 25 Nov 2003
Posts: 352
Location: The Universe,Virgo Super Cluster,Milky Way,Earth

PostPosted: Thu Jan 27, 2005 5:00 pm    Post subject: not sure if this helps but here it is Reply with quote

ok having tried other script out too http://forums.gentoo.org/viewtopic.php?t=277223&highlight= i got this reply http://thread.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/674

seems its not good to encrpt a swap FILE yes devices but not file so guess this is why it wouldnt work for me
_________________
[img]http://valid.canardpc.com/cache/banner/2040927.png[/img]
Desktop:
[img]http://valid.canardpc.com/cache/banner/2703952.png[/img]
Back to top
View user's profile Send private message
pulverizer
n00b
n00b


Joined: 01 Sep 2003
Posts: 20

PostPosted: Fri Jan 28, 2005 5:53 am    Post subject: Reply with quote

New version works great. :D Nice job!
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Fri Jan 28, 2005 8:07 am    Post subject: Reply with quote

pulverizer wrote:
New version works great. :D Nice job!
Thanks... I'm sorry for any annyoing problems the earlier scripts might have caused. Please let me know if there's anyway I can improve the script... :)
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
lysergicacid
Guru
Guru


Joined: 25 Nov 2003
Posts: 352
Location: The Universe,Virgo Super Cluster,Milky Way,Earth

PostPosted: Sat Jan 29, 2005 12:35 am    Post subject: same here Reply with quote

deleted my swap file and set a particion and all works fine :) nice script :) thank you
_________________
[img]http://valid.canardpc.com/cache/banner/2040927.png[/img]
Desktop:
[img]http://valid.canardpc.com/cache/banner/2703952.png[/img]
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Sat Jan 29, 2005 9:55 pm    Post subject: Re: same here Reply with quote

lysergicacid wrote:
deleted my swap file and set a particion and all works fine :) nice script :) thank you
Well, the script was faulty from the start anyway. It only worked with swap devices under /dev/<device>. It will be able to handle swap images from now on, but there's still the race condition problem within the kernel when using images and not partitions... Anyway, you already know that... :)

By the way, thanks... :)
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
fuoco
Guru
Guru


Joined: 23 May 2004
Posts: 386
Location: Israel

PostPosted: Mon Jan 31, 2005 10:54 am    Post subject: Reply with quote

looks nice though I haven't tried yet.

Any chance to get this integrated with the hardened project? As quite some here I'm using gentoo hardened too, and I think that hardened lacks a bit of security in this area, also /home encryption, which is the most vulnerable though most important component on most desktop/laptop systems.

So I think it would be nice to have this as official part of hardened. Easily adds another security layer. An ebuild to it would be nice too.
Back to top
View user's profile Send private message
Coenobite
n00b
n00b


Joined: 30 Jan 2005
Posts: 28
Location: behind you

PostPosted: Mon Jan 31, 2005 5:37 pm    Post subject: Reply with quote

Fantastic script! I'm having a bit of trouble using it with the serpent cipher though...

I'm running Gentoo on a laptop with kernel 2.6.10 and version 1.1.14 of the swap-encryption script. I rebuilt the kernel adding serpent as a module, I changed the $CIPHER variable in the script to 'serpent' and added the serpent module to /etc/modules.autoload.d/kernel-2.6. Then I installed the script in /etc/init.d/ and added it to my default runlevel with rc-update. After rebooting I got this message during the boot sequence:

Code:
 * Enabling swap encryption...
 *   Found swap device /dev/hda3
 *     Generating key
head: cannot open '32' for reading: No such file or directory
 *     Encrypting device as dev-hda3


I then rebuilt the kernel with aes_i586 as a module, changed the script's $CIPHER variable back to the default 'aes' and added 'aes_i586' to /etc/modules.autoload.d/kernel-2.6. After rebooting it worked perfectly :) - though with aes and not serpent :P

I don't mind AES though, it's more than adequate for my purposes and I'm also planning on encrypting my root filesystem using dm-crypt with AES as the cipher. This would be safe right? Considering I'm already using dm-crypt to encrypt my swap partition.

Oh, and I rebuilt my kernel, statically adding CONFIG_CRYPTO_AES_586 and removing aes from /etc/modules.autoload.d/kernel-2.6

Thanks for a great script! :D
_________________
Get Firefox
Registered user #379997
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Tue Feb 01, 2005 1:25 am    Post subject: Reply with quote

Coenobite wrote:
Fantastic script! I'm having a bit of trouble using it with the serpent cipher though...

I'm running Gentoo on a laptop with kernel 2.6.10 and version 1.1.14 of the swap-encryption script. I rebuilt the kernel adding serpent as a module, I changed the $CIPHER variable in the script to 'serpent' and added the serpent module to /etc/modules.autoload.d/kernel-2.6. Then I installed the script in /etc/init.d/ and added it to my default runlevel with rc-update. After rebooting I got this message during the boot sequence:

Code:
 * Enabling swap encryption...
 *   Found swap device /dev/hda3
 *     Generating key
head: cannot open '32' for reading: No such file or directory
 *     Encrypting device as dev-hda3


I then rebuilt the kernel with aes_i586 as a module, changed the script's $CIPHER variable back to the default 'aes' and added 'aes_i586' to /etc/modules.autoload.d/kernel-2.6. After rebooting it worked perfectly :) - though with aes and not serpent :P

I don't mind AES though, it's more than adequate for my purposes and I'm also planning on encrypting my root filesystem using dm-crypt with AES as the cipher. This would be safe right? Considering I'm already using dm-crypt to encrypt my swap partition.

Oh, and I rebuilt my kernel, statically adding CONFIG_CRYPTO_AES_586 and removing aes from /etc/modules.autoload.d/kernel-2.6

Thanks for a great script! :D
Thank you very much... :)

I was unable to reproduce the "bug" for now, but I'll try it on another computer tomorrow and fix the problem as soon as possible. :)
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page 1, 2, 3, 4, 5  Next
Page 1 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum