View previous topic :: View next topic |
Author |
Message |
orange_juice Guru
Joined: 16 Feb 2006 Posts: 588 Location: Athens - Greece
|
Posted: Tue Jun 20, 2006 4:42 pm Post subject: Swap encryption with cryptoloop? [solved] |
|
|
Hallo!
My intention is to encrypt my swap device.
After some research, I came across this post where its author, Sachankara, reasons the encryption of a swap device as follows:
Sachankara wrote: | Why encrypted swap devices?
Everytime you log onto your computer the password is sent to PAM (Pluggable Authentication Module), which in turn encodes the password using a special algorithm. The encoded password is then compared to other pre-encoded passwords in a hidden database, and if it's a match - grants you the access to your user. And here lies the problem: PAM stores the password in plain text in the memory. Although the password is quite (very) safe within the memory, it can turn into a huge security problem if the memory residing the password(s) is cached to the swap device. An unauthorized user can then scan the swap devices for available passwords and, in worst case, gain full access to your system. This is something we don't want (don't we? ). |
This post initiated on January 2005, and since then provides a script that is being periodically updated and caters for the encryption of the swap device.
One year and a half later... another author, slick, posted the following message:
slick wrote: | I simply use this out of the box:
/etc/fstab
Code:
/dev/hda1 none swap sw,loop=/dev/loop7,encryption=AES128 0 0
I think its enough for the swap. |
Indeed, "man swapon" reads:
Code: | If loop=/dev/loop? and encryption=AES128 options are present in
/etc/fstab then swapon -a will set up loop devices using random
keys, run mkswap on them, and enable encrypted swap on specified
loop devices. Encrypted loop devices are set up with page size
offset so that unencrypted swap signatures on first page of swap
devices are not touched. swapoff -a will tear down such loop
devices. |
I have the following questions:
1) Can the swap device become a security breach that might reveal important information, even the root password, to an intruder?
2) Is it really so simple and effective to encrypt the swap device through /etc/fstab?
Kind_regards,
orange_juice
Last edited by orange_juice on Thu Jun 22, 2006 9:18 pm; edited 2 times in total |
|
Back to top |
|
|
troymc Guru
Joined: 22 Mar 2006 Posts: 553
|
Posted: Tue Jun 20, 2006 4:52 pm Post subject: |
|
|
1) Yes
2) Yes
Boy, that was easy!
Another, often overlooked risk, is temporary files created in /tmp & /var/tmp. Particularly when applications terminate abnormally and don't get a chance to clean up after themselves. I use a small tmpfs filesystem for /tmp - it is very fast performance-wise and is destroyed every reboot. Then a use a large non-persistent encrypted filesystem for /var/tmp. This filesystem uses a random key every boot & is re-mkfs'd every boot.
troymc |
|
Back to top |
|
|
slick Bodhisattva
Joined: 20 Apr 2003 Posts: 3495
|
Posted: Tue Jun 20, 2006 5:16 pm Post subject: |
|
|
troymc wrote: | ...Then a use a large non-persistent encrypted filesystem for /var/tmp. This filesystem uses a random key every boot & is re-mkfs'd every boot... |
Is the following in /etc/fstab a good way? I think tmpfs is really fast and if it using the swap it will be encrypted. But be sure the swappartition or your ram are enough, like 2G
Code: | /dev/hda1 none swap sw,loop=/dev/loop7,encryption=AES128 0 0
none /var/tmp tmpfs nr_inodes=1M 0 0
none /tmp tmpfs nr_inodes=1M 0 0 |
|
|
Back to top |
|
|
troymc Guru
Joined: 22 Mar 2006 Posts: 553
|
Posted: Tue Jun 20, 2006 10:18 pm Post subject: |
|
|
slick wrote: |
Code: | /dev/hda1 none swap sw,loop=/dev/loop7,encryption=AES128 0 0
none /var/tmp tmpfs nr_inodes=1M 0 0
none /tmp tmpfs nr_inodes=1M 0 0 |
|
A couple of points:
1) Do you really think you'll need 1 million files/dirs in /tmp? I'd probably start with 1k and up the number from there as needed.
2) Always specify a size= parameter, too. This will keep you from running out of memory if you create huge files in /tmp.
3) Don't use tmpfs for /var/tmp unless you have huge amounts of memory/swap. This is where large compilations take place (OpenOffice will eat 1Gig easy). I use a non-persistent encrypted filesystem configured in /etc/conf.d/cryptfs. Read here for more details (I encrypt /var/tmp the way they talk about encrypting /tmp).
troymc |
|
Back to top |
|
|
orange_juice Guru
Joined: 16 Feb 2006 Posts: 588 Location: Athens - Greece
|
Posted: Wed Jun 21, 2006 11:30 am Post subject: |
|
|
I think I need to sum up! The following text sumarizes the "out of the box or portage" options to encrypt
1) swap
2) /tmp
3) /var/tmp
It also includes 3 questions regarding these issues.
1) About swap encryption:
a) The first option is to use the following line in /etc/fstab Code: |
/dev/hda1 none swap sw,loop=/dev/loop7,encryption=AES128 0 0 | Also the relevant kernel entry should be enabled: Code: | Device Drivers --> Block Devices --> Cryptolop Support |
b) The second option is to use Code: | emerge sys-fs/cryptsetup |
... as described in the article Disk cryptography with dm-crypt from the Gentoo Hardened Project
(Which is probably not well linked because it cannot be found from http://www.gentoo.org/proj/en/hardened)
2) About /tmp encryption
a) The first option is to use tmpfs.The relevant fstab line will be as follows
Code: | none /tmp tmpfs size= [void],nr_inodes= [void] 0 0 |
The [voids] should be filled according to RAM and SWAP sizes. However as stated in this forum and this gentoo-wiki article this method consumes quite a lot of RAM.
b) The second option is to use
Code: | emerge sys-fs/cryptsetup |
3) About /var/tmp
The only reasonable option seems that of using Code: | emerge sys-fs/cryptsetup |
Concluding, my questions are:
Question 1: Are the 2 mentioned methods of encrypting the swap partition equivalent?
Question 2: I have 1 GB RAM and 2GB swap memory. What could be the numbers used in the size and nr_nodes of the tmpfs entry?
Question 3: I feel that tmpfs is a rather complicated solution due to its heavy use of RAM and SWAP. According to the "Keep it simple" rule, would not it be better to use cryptsetup even in /tmp encryption?
Kind regards,
orange_juice |
|
Back to top |
|
|
Reikinio Apprentice
Joined: 14 Aug 2005 Posts: 203 Location: Uruguay
|
Posted: Wed Jun 21, 2006 6:29 pm Post subject: |
|
|
Disk cryptography with dm-crypt is unfinished and outdated, that's probably why it's not well linked, all you need to learn from it can be learned by reading cryptfs.example that ships with cryptsetup||cryptsetup-luks package.
1) No, the first method uses cryptoloop, and the second one uses dm-crypt.
If I were you I'd use dm-crypt instead, if you want to use cryptoloop, read at least this first. |
|
Back to top |
|
|
orange_juice Guru
Joined: 16 Feb 2006 Posts: 588 Location: Athens - Greece
|
Posted: Thu Jun 22, 2006 5:31 pm Post subject: |
|
|
Thank you!
Therefore...
About the swap device:
Cryptoloop is not safe... and dm-script should be used instead.
About /tmp, /var/tmp
Browsing through the Howtos, relating to encryption, I see that it is quite a fuss! Is it worth to straggle for the encryption of those two directories? I have built a web server and I just need to keep this server reasonably safe. Is there a "security hole" if I did not encrypt those directories?
Kind regards,
orange_juice |
|
Back to top |
|
|
Reikinio Apprentice
Joined: 14 Aug 2005 Posts: 203 Location: Uruguay
|
Posted: Thu Jun 22, 2006 7:18 pm Post subject: |
|
|
orange_juice wrote: | Thank you!
(...)
About /tmp, /var/tmp
Browsing through the Howtos, relating to encryption, I see that it is quite a fuss! Is it worth to straggle for the encryption of those two directories? I have built a web server and I just need to keep this server reasonably safe. Is there a "security hole" if I did not encrypt those directories?
(...)
|
First, I am by no means an expert, so take what I say with a grain of salt.
When you encrypt a partition what you're doing is protecting its data from unauthorized physical access to your computer, it doesn't protect you from someone tampering with your data from within your running system.
I have no idea whether you should or shouldn't encrypt /tmp, will there be any sensitive files there?
Personally, I think that if you haven't encrypted all your partitions( / , /tmp, swap, /home, ....), then there is a hole, specially if / is not encrypted, someone with physical access to your computer could perform a man-in-the-middle attack.
This is all a little bit paranoid, I have no idea if encrypting a system that is going to be a web server is a good idea or not, perhaps in your case Tripwire or AIDE is enough, don't know.
There are a lots of things you can do to secure your web server, but with every security layer you add, usability decreases, question is, can you live with the trade off ?
Bye |
|
Back to top |
|
|
orange_juice Guru
Joined: 16 Feb 2006 Posts: 588 Location: Athens - Greece
|
Posted: Thu Jun 22, 2006 9:00 pm Post subject: |
|
|
Thank you for your answer.
Kind regards,
orange_juice |
|
Back to top |
|
|
cpakkala Apprentice
Joined: 17 Dec 2004 Posts: 154
|
Posted: Thu Jan 04, 2007 1:40 am Post subject: |
|
|
Is there any reason to encrypt /tmp explicitly if you are already using encrypted swap and /tmp is mounted on tmpfs? Seems to me that anything in /tmp that makes it to hard drive (via swapping) will be encrypted. |
|
Back to top |
|
|
orange_juice Guru
Joined: 16 Feb 2006 Posts: 588 Location: Athens - Greece
|
Posted: Wed Jan 10, 2007 11:45 am Post subject: |
|
|
To be honest, I am not aware of the exact mechanisms that work in this situation. What I feel is that mounting tmp on tmpfs, although it is said that this is beneficial in expense of RAM, it is providing an adequate level of security for a user that needs to have a notion of safety as far as normal attacks and network situations are concerned.
Strikes to me that securing your network is like securing your car. You put wheel locks, alarms and special key locks, OK. All these protect you against people that will prefer to steal a more easily compromised car than yours. That is all about it. However, if your car "has" to be stolen it will be! I have heard of stories that such a car was parked at the end of a garage in a building, and the thiefs had to unlock the door of the garage, compromise two other vehicles in order to move them aside and they only took the third one paying extra attention not to damage anything!!!
So... I have decided not to be extremely extra paranoid about all these things that relate to special security because what I do is not included in its reason of existence. Of course, I am trying to be careful as a considerate netizen and dedicate my remaining effort in discovering new aspects of computers in my everyday use. Which means that my everyday activity does not need the extra precaution measures that "extra paranoid" security offers.
For people that are concerned about this extra step, I would recommend a more holistic solution which is selinux . Selinux, is trying to build a very secure system from its basis covering every possible aspect of security in a manner of a live secure and constantly developing -in terms of security- organism.
There is also openbsd and of course ipcop that can be used as further network-security implementations to your "have to do" step of Gentoo Security Handbook.
Kind regards,
orange_juice |
|
Back to top |
|
|
woZa Guru
Joined: 18 Nov 2003 Posts: 340 Location: The Steel City - UK
|
Posted: Mon Mar 31, 2008 4:10 pm Post subject: |
|
|
troymc wrote: | I use a non-persistent encrypted filesystem configured in /etc/conf.d/cryptfs. Read here for more details (I encrypt /var/tmp the way they talk about encrypting /tmp).
troymc |
Thanks...
Worked a treat although it is a few years on and the conf file is now /etc/conf.d/dmcrypt
HTH _________________ A few months struggling with gentoo is better than a lifetime struggling with windoze! |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|