| View previous topic :: View next topic |
| Author |
Message |
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
 Posted: Fri Jan 14, 2005 10:36 am Post subject: Encrypt your swap devices, the safe and easy way |
 |
|
"Howdy" folks, 
To make a long story short: I've been reading lots of posts on this forum on how to enhance the security on Linux using encrypted swap devices, but found no guide or script that was easy yet "complex" enough for me. They all required you to either know in advance which partitions to encrypt (something that might change between reboots, thus f*cking up your newly connected device's partitions) or required using old obscure loop devices. Thus I started to write my own script which encrypts all available mounted swap devices at boot using "Device Mapper". The script is also able to modprobe the necessary cipher modules, in case they aren't available when running the service.
Why encrypted swap devices?
Everytime you log onto your computer the password is sent to PAM (Pluggable Authentication Module), which in turn encodes the password using a special algorithm. The encoded password is then compared to other pre-encoded passwords in a hidden database, and if it's a match - grants you the access to your user. And here lies the problem: PAM stores the password in plain text in the memory. Although the password is quite (very) safe within the memory, it can turn into a huge security problem if the memory residing the password(s) is cached to the swap device. An unauthorized user can then scan the swap devices for available passwords and, in worst case, gain full access to your system. This is something we don't want (don't we? ).
The solution is not so difficult as one might believe. Simply encrypt the swap devices using random pass-phrases that the root user(s) doesn't even have access to. Each swap device gets its own random pass-phrase every time it's mounted/enabled, so the pass-phrase is never the same (well, it could happend, but the likelyhood/risk is extremely small). This ensures that most people won't be able to read the data on the swap devices. (It is however not possible to protect your swap devices in case someone has the ability to directly read your kernel memory [correct me if I'm wrong], and if someone do, no non-military hardware in the world is going to protect your data. We're talking about encryption down to CPU process levels here)
What do I need to enable swap encryption?
Well, you need a Linux kernel with LVM/Device Mapper and cryptographic support. You'll also need two applications (device-mapper and cryptsetup). Besides that you need to have compiled your own kernel before and also have one or more working swap devices set up in /etc/fstab ...
This guide is first and foremost written for Gentoo Linux using a 2.6 kernel. But it should work on other distributions too, with some modifications to the script setup. It should also work with some newer versions of Linux 2.4, but I haven't tried it personally.
---
Step 1:
Compile the Linux kernel with support for LVM/Device Mapper and cryptographic suppport.
| Code: |
$ su -
(Type your root password)
$ cd /usr/src/linux
(Make sure that /usr/src/linux points to your kernel source directory)
$ make menuconfig
|
Kernel configuration:
| Code: |
Device Drivers ---> Multi-device support (RAID and LVM) --->
[*] Multiple devices driver support (RAID and LVM)
<M> Device mapper support
<M> Crypt target support
Cryptographic options --->
<M> AES cipher algorithms
|
| Code: |
$ mount /boot
(If you have /boot on a separate partition)
$ make && make modules_install install && modules-update
$ echo "dm-mod" >> /etc/modules.autoload.d/kernel-2.6
$ exit
|
Step 2:
Install the necessary applications.
| Code: |
$ sudo emerge device-mapper cryptsetup-luks
|
Step 3:
Install the service script.
| Code: |
$ su -
$ cd /usr/src/
$ wget http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r19.tgz
$ wget http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r19.tgz.md5
$ md5sum -c swap-encryption-r19.tgz.md5
$ tar xvfz swap-encryption-r19.tgz
$ cd swap-encryption-r19
$ make install
$ rc-update add swap-encryption default
$ exit
|
Step 4:
Reboot the computer for Device Mapper (the kernel part) to work.
| Code: |
$ sudo /sbin/shutdown -r now
|
---
That's all folks...  From now on, your swap devices will be automatically encrypted if they are valid swap devices mounted/enabled from /etc/fstab or by hand.
---
This document is under the "Creative Commons - Attribution / Share Alike" licens. ( http://creativecommons.org/licenses/by-sa/2.0/ )
---
By the way, here's the script code for 1.1.10. In case you don't want to download it, just to read it. (Remember, it might not always be up-to-date. Look for the link in the guide to get the latest version. It was version 1.2.1 by the time this post was last edited.)
| Code: |
#!/sbin/runscript
# Copyright 2005, Fredrik Blom - hdp03bfr"at"syd.kth.se
# Distributed under the terms of the GNU General Public License v2
# Ver 1.1.10 2005-01-14
# This script searches for all active swap devices and encrypts them
# via "Device Mapper". Why would anyone want that? Because systems like
# PAM (Pluggable Authentication Module) stores passwords in plain text
# within the computer RAM, and if the memory is filled up, some parts
# might get moved to the swap (devices/partitions) where it can easily
# be retrieved. By encrypting the swap, you'll add an extra layer of
# security to your Linux system.
# Known problems:
# - Can't reinitialize a encrypted device if it wasn't properly
# shut down. To do so, please "redo" the swap device with mkswap
# and swapon and then start the service.
# The cipher algorithm you want to use for the swap encryption
# Default: aes
# (AES is a very strong, military grade cipher algorithm, with
# only ~2-3% processing overhead.
# See: http://csrc.nist.gov/CryptoToolkit/aes/ )
CIPHER=aes
# If you're extra paranoid, enable this to fill the swap devices
# with random garbage when stopping the service. Warning: It
# may take quite a long time to stop the service with this
# option enabled depending on the size and speed of the swap
# devices. It should go faster on VIA Epia processors and similar
# with hardware accelerated encryption, through quantum mechanics,
# thermal noise, radiation, etc.
#
# Warning: Enabling this while using grsecurity with "Larger
# entropy pools", will consume huge amounts of memory.
# So make sure that you have more than 512 MB of memory
# before using this.
# If you don't know what grsecurity is, you don't have it.
#
# Default: 0
PARANOIA_MODE=0
# Don't change these three variables
DM_MAPPER=/dev/mapper/
DM_NAME=swap
MAX_KEYSIZE=1024
depend() {
need urandom
after urandom modules
}
encrypt_device() {
# Synopsis: <device-string> <device-mapper-string> <key-string>
# Description: 1. Disables the active swap device.
# 2. Creates a new encrypted device
# 3. Converts the encrypted device to swap storage
# 4. Enables the newly encrypted swap device
#
# TODO/FIXME: Should we initialize the newly encrypted swap device
# using the same priority as the original non-
# encrypted device? All drives gets the same priority
# at the moment (bad idea?)
swapoff $1
echo "$3" | cryptsetup -c $CIPHER create "${2#$DM_MAPPER}" "$1"
mkswap $2 > /dev/null
swapon -p 0 $2
eend $?
}
restore_device() {
# Synopsis: <device-mapper-string>
# Description: 1. Disables the active DM swap device
# 2. Removes the DM device
# 3. If PARANOIA_MODE is enabled, fills the
# original device with garbage data
# 4. Convert the original device to swap storage
# 5. Re-enables the old non-encrypted swap device
#
# TODO/FIXME: Should we restore the swap devices with the same
# priority as they had when they were encrypted?
# All devices get the same priority at the moment,
# which might not be the best solution. Please
# enlighten me, for I don't really know.
dev="/dev/${1#$DM_MAPPER$DM_NAME}"
einfo " Restoring $1 as $dev"
swapoff $1
dmsetup remove $1
if [ $PARANOIA_MODE -eq 1 ]
then
einfo " Paranoia mode on $dev"
dd if=/dev/urandom of=$dev bs=1M 2>/dev/null
einfo " Garbage data written"
fi
mkswap $dev > /dev/null
swapon -p 0 $dev
eend $?
}
find_cipher() {
# Description: Searches for the requested cipher. Try to
# modprobe it if it's not found.
#
# TODO/FIXME: There must be some way to make this code
# look better while being faster. Bash is
# very flexible, but I'm still learning things.
if [ -z "`grep "$CIPHER" /proc/crypto | \
while read ciphers
do
echo "$ciphers"
done`" ]
then
ewarn " Cipher \"$CIPHER\" not found. Trying to modprobe"
modprobe "$CIPHER" 2>/dev/null
fi
eend $?
}
get_keysize() {
# Synopsis: <empty-string>
# Description: Scans /proc/crypto for the maximum requested
# cipher key size
#
# TODO/FIXME: Speed up the scan by using more efficient code
found=0
eval "$1=\"`cat /proc/crypto | \
while read ciphers
do
if echo $ciphers | grep -q "$CIPHER"
then
found=1
fi
if [ $found -eq 1 ]
then
if echo $ciphers | grep -q "max keysize"
then
echo $ciphers | awk '{print $4}'
fi
fi
done`\""
eend $?
}
generate_key() {
# Synopsis: <empty-string>
# Description: Pipe data from the *nix urandom device to
# base64. By doing so, creating a keystring
# used for device encryption.
#
# Notice: Maximum keysize = 1024 bytes
einfo " Generating key"
eval "$1=\"`head -c 747 /dev/urandom | base64 | tail -c $keysize`\""
eend $?
}
activate() {
# Synopsis: <device-string>
# Description: 1. Generate a keystring for the particular
# swap device that we wish to encrypt
# 2. Encrypt the device using the keystring
# and requested cipher
einfo " Found swap device $1"
key=""
generate_key key
ewarn "$key"
einfo " Encrypting device as $DM_MAPPER$DM_NAME${1#/dev/}"
encrypt_device "$1" "$DM_MAPPER$DM_NAME${1#/dev/}" "$key"
eend $?
}
start() {
# Description: 1. Search /proc/crypto and see if the requested
# cipher is available.
# 2. Retrieve the maximum keysize used for the
# device encryption.
# 3. Scan the system for active swap devices and
# encrypt them.
#
# TODO/FIXME: Place the if-test within the function get_keysize?
ebegin "Enabling swap encryption"
find_cipher
keysize=""
get_keysize keysize
if [ "$keysize" -gt "$MAX_KEYSIZE" ]
then
ewarn " Requested keysize is too large, correcting..."
keysize=$MAX_KEYSIZE
fi
grep '/' /proc/swaps | \
while read devices
do
if echo $devices | grep -qv "$DM_MAPPER"
then
activate $devices
fi
done
eend $?
}
stop() {
# Description: Scan system for active encrypted DM swap
# devices and disable them, while restoring
# the old ones.
ebegin "Restoring encrypted swap devices"
grep "$DM_MAPPER$DM_NAME" /proc/swaps | \
while read devices
do
restore_device $devices
done
eend $?
}
restart() {
# Description: Restart the service
ebegin "Restarting swap encryption"
svc_stop
svc_start
eend $?
}
# Changelog:
# 1.1.10 2005-01-14
# - Changed so generate_key can output a maximum of 1024
# bytes instead of the previous 32 bytes. The old method
# used md5sum while the new one uses base64. 1024 bytes
# should be sufficiant for most ciphers.
# I'd like to thank "MaDsKiLLz" on the Gentoo Forums
# for the help with generating larger keys.
# 1.1.9 2005-01-14
# - Small changes to the if-test that makes sure that the
# key length isn't too long.
# - Fixed some of the function comments
# 1.1.8 2005-01-14
# - get_keysize doesn't search for the minium pass-phrase
# lenght anymore, instead it looks for the maximum length.
# Although it still can't handle pass-phrases longer than
# 32 bytes.
# 1.1.7 2005-01-14
# - Added some todo/fix comments.
# 1.1.6 2005-01-13
# - Script doesn't re-read /proc/crypto anymore (to search
# for the minimum keysize each time a new pass-phrase is
# generated).
# Earlier versions:
# No changelog available
|
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Last edited by Sachankara on Sun Jul 09, 2006 3:51 pm; edited 29 times in total |
|
| Back to top |
|
 |
rkrenzis
Tux's lil' helper
Joined: 22 Jul 2004
Posts: 135
Location: USA
|
| Posted: Fri Jan 14, 2005 12:05 pm Post subject: aes-i586 add to your autoload config... |
|
|
Don't forget to add the "aes-i586" module to your autoload config.
File: /etc/modules.autoload.d/kernel-2.6
Otherwise the script will fall flat on its face. Possibly an enhancement request to the script writer to modprobe for aes-i586.
Otherwise the directions work great! |
|
| Back to top |
|
|
angelacb
n00b
Joined: 31 Oct 2003
Posts: 50
|
| Posted: Fri Jan 14, 2005 12:29 pm Post subject: |
|
|
Neat script. I used to just put a few commands in local.start and local.stop.
Nice howto by the way.
Best Regards,
_________________
Love Linux, Love Life |
|
| Back to top |
|
|
BlackEdder
Advocate
Joined: 26 Apr 2004
Posts: 2588
Location: Dutch enclave in Egham, UK
|
| Posted: Fri Jan 14, 2005 2:01 pm Post subject: |
|
|
One note: for the 2.6 kernel you don't need all this: | Code: | | make && make install && make modules && make modules_install && modules-update |
| Code: | | make && make modules_install && make install |
is enough |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Fri Jan 14, 2005 3:45 pm Post subject: Re: aes-i586 add to your autoload config... |
|
|
| rkrenzis wrote: | Don't forget to add the "aes-i586" module to your autoload config.
File: /etc/modules.autoload.d/kernel-2.6
Otherwise the script will fall flat on its face. Possibly an enhancement request to the script writer to modprobe for aes-i586.
Otherwise the directions work great! |
Hmm...  In which version of Linux is the aes module called aes-i586? I have two computers running Linux 2.6.7 with the Gentoo Hardened patches, and the module is simply called "aes" on them. Would it be possible for you to post your output from /proc/crypto ?
| angelacb wrote: | Neat script. I used to just put a few commands in local.start and local.stop.
Nice howto by the way.
Best Regards, |
Thanks... 
If you have any suggestions that might improve the script, please let me know.
| BlackEdder wrote: | One note: for the 2.6 kernel you don't need all this: | Code: | | make && make install && make modules && make modules_install && modules-update |
| Code: | | make && make modules_install && make install |
is enough |
I know, I was just a bit too "paranoid". I think I'll change it the way you suggested. Although, I don't think there's any harm keeping "modules-update".
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak) |
|
| Back to top |
|
|
MaDsKiLLz
n00b
Joined: 14 Jan 2005
Posts: 3
|
| Posted: Fri Jan 14, 2005 4:01 pm Post subject: |
|
|
if you want to use longer passwords you could use base64.
| Code: |
head -c 747 /dev/urandom | base64
|
this is how many bytes it'll print out
| Code: |
powerspec root # head -c 747 /dev/urandom | base64 | wc -c
1024
powerspec root
|
so that'll print out 1024 usable bytes
=) |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Fri Jan 14, 2005 4:45 pm Post subject: |
|
|
| MaDsKiLLz wrote: | if you want to use longer passwords you could use base64.
| Code: |
head -c 747 /dev/urandom | base64
|
this is how many bytes it'll print out
| Code: |
powerspec root # head -c 747 /dev/urandom | base64 | wc -c
1024
powerspec root
|
so that'll print out 1024 usable bytes
=) |
Thank you for the advice... I added it to the script...
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak) |
|
| Back to top |
|
|
tuxophil
Tux's lil' helper
Joined: 29 Jun 2003
Posts: 80
Location: Diddeleng, Lëtzebuerg
|
| Posted: Mon Jan 17, 2005 7:29 pm Post subject: |
|
|
| MaDsKiLLz wrote: | if you want to use longer passwords you could use base64.
| Code: |
head -c 747 /dev/urandom | base64
|
|
Hmm, here's an easier method that doesn't require base64 (I don't even have that executable on my full blown desktop system!?): Just filter out unwanted characters with tr.
Try these:
| Code: | tr -cd 0-9a-f < /dev/urandom | head -c 100
tr -cd [:graph:] < /dev/urandom | head -c 100 |
Cheers |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Tue Jan 18, 2005 9:20 am Post subject: |
|
|
| gschintgen wrote: | | MaDsKiLLz wrote: | if you want to use longer passwords you could use base64.
| Code: |
head -c 747 /dev/urandom | base64
|
|
Hmm, here's an easier method that doesn't require base64 (I don't even have that executable on my full blown desktop system!?): Just filter out unwanted characters with tr.
Try these:
| Code: | tr -cd 0-9a-f < /dev/urandom | head -c 100
tr -cd [:graph:] < /dev/urandom | head -c 100 |
Cheers |
Oh, very nice... I modified the script once more to use one of your methods which doesn't require base64...
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak) |
|
| Back to top |
|
|
pulverizer
n00b
Joined: 01 Sep 2003
Posts: 20
|
| Posted: Fri Jan 21, 2005 1:36 pm Post subject: |
|
|
Nice script. However I get this error at boot:
| Code: | Enabling swap encryption...
Found swap device /dev/ide/host0/bus0/target0/lun0/part2
Generating key
/sbin/rc: eval: line 1: syntax error near unexpected token `&'
/sbin/rc: eval: line 1: `key=""!g}B+s>EK|&NB|(5LO/-TLxk!cZRB"3"'
* Encrypting device as /dev/mapper/swapide/host0/bus0/target0/lun0/part2
Command failed: Invalid argument
/dev/mapper/swapide/host0/bus0/target0/lun0/part2: No such file or directory
swapon: cannot stat /dev/mapper/swapide/host0/bus0/target0/lun0/part2: No such file or directory
|
Any ideas? Thanks. |
|
| Back to top |
|
|
lysergicacid
Guru
Joined: 25 Nov 2003
Posts: 352
Location: The Universe,Virgo Super Cluster,Milky Way,Earth
|
| Posted: Sat Jan 22, 2005 3:10 am Post subject: same prob here too |
|
|
got almost the same prob | Code: | -(~:#)-> /etc/init.d/swap-encryption start
* Enabling swap encryption ... [ ok ]
* Found swap device /mnt/swap/swap.img
* Generating key [ ok ]
* fpKHobOKT29q+KngAarY7NJdBCQ8MG
* Encrypting device as /dev/mapper/swap/mnt/swap/swap.img
Command failed: Invalid argument
/dev/mapper/swap/mnt/swap/swap.img: No such file or directory
swapon: cannot stat /dev/mapper/swap/mnt/swap/swap.img: No such file or directory [ !! ]
&
/etc/init.d/swap-encryption: line 218: [: 32
56: integer expression expected
* Found swap device /mnt/swap/swap.img
* Generating key
tail: cannot open `56' for reading: No such file or directory [ ok ]
*
* Encrypting device as /dev/mapper/swap/mnt/swap/swap.img
Command failed: Invalid argument
/dev/mapper/swap/mnt/swap/swap.img: No such file or directory
swapon: cannot stat /dev/mapper/swap/mnt/swap/swap.img: No such file or directory [ !! ]
|
any ideas why plz somone i have the apps installed and modules loaded | Code: | Module Size Used by
aes_i586 39412 0
dm_mod 64000 0
w83627hf 30432 0
blowfish 8512 0
Calculating dependencies ...done!
[ebuild R ] sys-libs/device-mapper-1.00.19-r1 0 kB
[ebuild R ] sys-fs/cryptsetup-0.1 0 kB |
udev fs prob maybe ? permission or something ?
_________________
[img]http://valid.canardpc.com/cache/banner/2040927.png[/img]
Desktop:
[img]http://valid.canardpc.com/cache/banner/2703952.png[/img] |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Wed Jan 26, 2005 9:22 pm Post subject: Re: same prob here too |
|
|
| pulverizer wrote: | Nice script. However I get this error at boot:
| Code: | Enabling swap encryption...
Found swap device /dev/ide/host0/bus0/target0/lun0/part2
Generating key
/sbin/rc: eval: line 1: syntax error near unexpected token `&'
/sbin/rc: eval: line 1: `key=""!g}B+s>EK|&NB|(5LO/-TLxk!cZRB"3"'
* Encrypting device as /dev/mapper/swapide/host0/bus0/target0/lun0/part2
Command failed: Invalid argument
/dev/mapper/swapide/host0/bus0/target0/lun0/part2: No such file or directory
swapon: cannot stat /dev/mapper/swapide/host0/bus0/target0/lun0/part2: No such file or directory
|
Any ideas? Thanks. |
| lysergicacid wrote: | got almost the same prob | Code: | -(~:#)-> /etc/init.d/swap-encryption start
* Enabling swap encryption ... [ ok ]
* Found swap device /mnt/swap/swap.img
* Generating key [ ok ]
* fpKHobOKT29q+KngAarY7NJdBCQ8MG
* Encrypting device as /dev/mapper/swap/mnt/swap/swap.img
Command failed: Invalid argument
/dev/mapper/swap/mnt/swap/swap.img: No such file or directory
swapon: cannot stat /dev/mapper/swap/mnt/swap/swap.img: No such file or directory [ !! ]
&
/etc/init.d/swap-encryption: line 218: [: 32
56: integer expression expected
* Found swap device /mnt/swap/swap.img
* Generating key
tail: cannot open `56' for reading: No such file or directory [ ok ]
*
* Encrypting device as /dev/mapper/swap/mnt/swap/swap.img
Command failed: Invalid argument
/dev/mapper/swap/mnt/swap/swap.img: No such file or directory
swapon: cannot stat /dev/mapper/swap/mnt/swap/swap.img: No such file or directory [ !! ]
|
any ideas why plz somone i have the apps installed and modules loaded | Code: | Module Size Used by
aes_i586 39412 0
dm_mod 64000 0
w83627hf 30432 0
blowfish 8512 0
Calculating dependencies ...done!
[ebuild R ] sys-libs/device-mapper-1.00.19-r1 0 kB
[ebuild R ] sys-fs/cryptsetup-0.1 0 kB |
udev fs prob maybe ? permission or something ? |
The script create keys which might contain characters like `, ' and " and thus it won't always work... I'll fix it in a sec...
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak) |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Wed Jan 26, 2005 9:34 pm Post subject: |
|
|
Guess I was blind... Now I see your other problems, which I'll have to fix as soon as I can. (I sort of assumed everyone mapped their swap devices under /dev/<device>, which wasn't very bright. Perhaps I should just bump the script down to version 0.1... )
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak) |
|
| Back to top |
|
|
Hasw
n00b
Joined: 31 Dec 2004
Posts: 68
Location: Germany
|
| Posted: Wed Jan 26, 2005 11:28 pm Post subject: Re: aes-i586 add to your autoload config... |
|
|
| Sachankara wrote: | Hmm... In which version of Linux is the aes module called aes-i586? I have two computers running Linux 2.6.7 with the Gentoo Hardened patches, and the module is simply called "aes" on them. Would it be possible for you to post your output from /proc/crypto ?
|
IIRC aes-i586 only available since 2.6.8.1. If you using aes as disk encryption (not swap, unless you swap very much), you should use it, because it's lot faster than the not i586 optimized module.
| Code: |
server1 bin # cat /proc/crypto
name : aes
module : aes_i586
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
|
|
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Wed Jan 26, 2005 11:44 pm Post subject: |
|
|
| Sachankara wrote: | | Guess I was blind... Now I see your other problems, which I'll have to fix as soon as I can. (I sort of assumed everyone mapped their swap devices under /dev/<device>, which wasn't very bright. Perhaps I should just bump the script down to version 0.1... ) |
Quoting myself, ehh... Anyway, a new version is now available with the bugfix which makes the script able to encrypt all sorts of swap devices. The only devices it won't mount are under /dev/mapper...
http://joshua.haninge.kth.se/~sachankara/swap-encryption-1.1.14.tar.bz2
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak) |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Wed Jan 26, 2005 11:46 pm Post subject: Re: aes-i586 add to your autoload config... |
|
|
| Hasw wrote: | | Sachankara wrote: | Hmm... In which version of Linux is the aes module called aes-i586? I have two computers running Linux 2.6.7 with the Gentoo Hardened patches, and the module is simply called "aes" on them. Would it be possible for you to post your output from /proc/crypto ?
|
IIRC aes-i586 only available since 2.6.8.1. If you using aes as disk encryption (not swap, unless you swap very much), you should use it, because it's lot faster than the not i586 optimized module.
| Code: |
server1 bin # cat /proc/crypto
name : aes
module : aes_i586
type : cipher
blocksize : 16
min keysize : 16
max keysize : 32
|
|
Ah, I'll look into it. See if I can implement several ciphers into the script tomorrow...
Edit: Actually, modprobing "aes" on 2.6.10 runs "aes-i586" automatically...
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak) |
|
| Back to top |
|
|
lysergicacid
Guru
Joined: 25 Nov 2003
Posts: 352
Location: The Universe,Virgo Super Cluster,Milky Way,Earth
|
|
| Back to top |
|
|
pulverizer
n00b
Joined: 01 Sep 2003
Posts: 20
|
| Posted: Fri Jan 28, 2005 5:53 am Post subject: |
|
|
New version works great.  Nice job! |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Fri Jan 28, 2005 8:07 am Post subject: |
|
|
| pulverizer wrote: | | New version works great. Nice job! |
Thanks... I'm sorry for any annyoing problems the earlier scripts might have caused. Please let me know if there's anyway I can improve the script...
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak) |
|
| Back to top |
|
|
lysergicacid
Guru
Joined: 25 Nov 2003
Posts: 352
Location: The Universe,Virgo Super Cluster,Milky Way,Earth
|
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Sat Jan 29, 2005 9:55 pm Post subject: Re: same here |
|
|
| lysergicacid wrote: | | deleted my swap file and set a particion and all works fine nice script thank you |
Well, the script was faulty from the start anyway. It only worked with swap devices under /dev/<device>. It will be able to handle swap images from now on, but there's still the race condition problem within the kernel when using images and not partitions... Anyway, you already know that...
By the way, thanks...
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak) |
|
| Back to top |
|
|
fuoco
Guru
Joined: 23 May 2004
Posts: 386
Location: Israel
|
| Posted: Mon Jan 31, 2005 10:54 am Post subject: |
|
|
looks nice though I haven't tried yet.
Any chance to get this integrated with the hardened project? As quite some here I'm using gentoo hardened too, and I think that hardened lacks a bit of security in this area, also /home encryption, which is the most vulnerable though most important component on most desktop/laptop systems.
So I think it would be nice to have this as official part of hardened. Easily adds another security layer. An ebuild to it would be nice too. |
|
| Back to top |
|
|
Coenobite
n00b
Joined: 30 Jan 2005
Posts: 28
Location: behind you
|
| Posted: Mon Jan 31, 2005 5:37 pm Post subject: |
|
|
Fantastic script! I'm having a bit of trouble using it with the serpent cipher though...
I'm running Gentoo on a laptop with kernel 2.6.10 and version 1.1.14 of the swap-encryption script. I rebuilt the kernel adding serpent as a module, I changed the $CIPHER variable in the script to 'serpent' and added the serpent module to /etc/modules.autoload.d/kernel-2.6. Then I installed the script in /etc/init.d/ and added it to my default runlevel with rc-update. After rebooting I got this message during the boot sequence:
| Code: | * Enabling swap encryption...
* Found swap device /dev/hda3
* Generating key
head: cannot open '32' for reading: No such file or directory
* Encrypting device as dev-hda3 |
I then rebuilt the kernel with aes_i586 as a module, changed the script's $CIPHER variable back to the default 'aes' and added 'aes_i586' to /etc/modules.autoload.d/kernel-2.6. After rebooting it worked perfectly - though with aes and not serpent
I don't mind AES though, it's more than adequate for my purposes and I'm also planning on encrypting my root filesystem using dm-crypt with AES as the cipher. This would be safe right? Considering I'm already using dm-crypt to encrypt my swap partition.
Oh, and I rebuilt my kernel, statically adding CONFIG_CRYPTO_AES_586 and removing aes from /etc/modules.autoload.d/kernel-2.6
Thanks for a great script!
_________________
Get Firefox
Registered user #379997 |
|
| Back to top |
|
|
Sachankara
l33t
Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden
|
| Posted: Tue Feb 01, 2005 1:25 am Post subject: |
|
|
| Coenobite wrote: | Fantastic script! I'm having a bit of trouble using it with the serpent cipher though...
I'm running Gentoo on a laptop with kernel 2.6.10 and version 1.1.14 of the swap-encryption script. I rebuilt the kernel adding serpent as a module, I changed the $CIPHER variable in the script to 'serpent' and added the serpent module to /etc/modules.autoload.d/kernel-2.6. Then I installed the script in /etc/init.d/ and added it to my default runlevel with rc-update. After rebooting I got this message during the boot sequence:
| Code: | * Enabling swap encryption...
* Found swap device /dev/hda3
* Generating key
head: cannot open '32' for reading: No such file or directory
* Encrypting device as dev-hda3 |
I then rebuilt the kernel with aes_i586 as a module, changed the script's $CIPHER variable back to the default 'aes' and added 'aes_i586' to /etc/modules.autoload.d/kernel-2.6. After rebooting it worked perfectly - though with aes and not serpent
I don't mind AES though, it's more than adequate for my purposes and I'm also planning on encrypting my root filesystem using dm-crypt with AES as the cipher. This would be safe right? Considering I'm already using dm-crypt to encrypt my swap partition.
Oh, and I rebuilt my kernel, statically adding CONFIG_CRYPTO_AES_586 and removing aes from /etc/modules.autoload.d/kernel-2.6
Thanks for a great script! |
Thank you very much...
I was unable to reproduce the "bug" for now, but I'll try it on another computer tomorrow and fix the problem as soon as possible.
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak) |
|
| Back to top |
|
|
|
Documentation, Tips & Tricks
