View previous topic :: View next topic |
Author |
Message |
abduct Apprentice
Joined: 19 Mar 2015 Posts: 215
|
Posted: Sat Jun 20, 2015 9:46 pm Post subject: Encrypting swap every boot |
|
|
I found this link (https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption#Without_suspend-to-disk_support) on the arch site and I was wondering how I can implement such a thing on gentoo.
What it does is uses /dev/urandom as the key to the encrypted swap partition, and then re-encrypts it every boot resulting in any stagnate data remaining from a previous session being useless.
I currently have encrypted file volumes which i use loop devices to mount them to directories after using cryptsetup to open them, although I do not quite know how to setup this style of swap partition encryption.
I don't seem to have a file called crypttab so I assume I can't pull this off, unless someone here knows an alternative simple way to set this up.
Thanks all! |
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
Posted: Sat Jun 20, 2015 10:35 pm Post subject: |
|
|
crypttab is /etc/conf.d/dmcrypt in openrc gentoo and it has a swap example with random key |
|
Back to top |
|
|
abduct Apprentice
Joined: 19 Mar 2015 Posts: 215
|
Posted: Sat Jun 20, 2015 11:25 pm Post subject: |
|
|
frostschutz wrote: | crypttab is /etc/conf.d/dmcrypt in openrc gentoo and it has a swap example with random key |
Thanks!
If you know is it possible to mount file volumes via dmcrypt?
At the moment I have encrypted file volumes for root and home located in /secret and I am mounting them as follows:
Code: |
losetup /dev/loop1 /sercret/home.crypt
cryptsetup luksOpen /dev/loop1 home
mount -o loop /dev/mapper/home /home
|
is there a way to do this with DM crypt?
I see the loop file example but I am not quite sure how it works or how i could achieve the setup as I currently posted with it.
I assume the target is going to be the name (ex: home), source would be which loop it would use, and loop_file is the location of the encrypted volume? Is there options to mount /dev/mapper to a specific area?
Also is it possible to specify losetup -f for source rather than a hard point, so that it fetches the next free loop device?
Thanks again. |
|
Back to top |
|
|
abduct Apprentice
Joined: 19 Mar 2015 Posts: 215
|
Posted: Sun Jun 21, 2015 12:46 am Post subject: |
|
|
I setup /etc/conf.d/dmcrypt like so:
Code: |
swap=swap
source='/dev/sda2'
options='-c aes-xts-plain -h whirlpool -d /dev/urandom'
|
and to test I started the dmcrypt service `/etc/init.d/dmcrypt start`
and I get the output:
Code: |
# /etc/init.d/dmcrypt start [ ok ]
* Setting up dm-crypt mappings ...
* swap using: -c aes-xts-plain -h whirlpool -d /dev/urandom create swap /dev/sda2 ... [ ok ]
* pre_mount: mkswap /dev/mapper/swap ...
mkswap: warning: /dev/mapper/swap is misaligned [ ok ]
|
and the output of free:
Code: | # free | grep Swap
Swap: 0 0 0 |
Is there something I did wrong? Do I have to remake that partition? The partition was working fine before using mkswap and swapon. I know I don't have /dev/mapper/swap in /etc/fstab, but that shouldn't effect this.
Also the previous question still stands: how can I mount file volumes via loop devices like in my previous post. I have it working right now via init scripts, but I'd rather roll everything into dmcrypt config.
Thanks! |
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
Posted: Sun Jun 21, 2015 7:06 am Post subject: |
|
|
cryptsetup will handle the loop device for you,
so you can cryptsetup luksOpen somefile somename and then mount /dev/mapper/somename without losetup without -o loop options
a dmcrypt entry should also work for this
you might still need fstab entries for the dmcrypt stuff you create |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3922 Location: Hamburg
|
Posted: Sun Jun 21, 2015 9:07 am Post subject: |
|
|
Put something like Code: | swap=crypt-swap
source='/dev/sda3'
| into /etc/conf.d/dmcrypt and the appropriate entry Code: | /dev/mapper/crypt-swap none swap sw 0 0
| into in /etc/fstab - should work. |
|
Back to top |
|
|
abduct Apprentice
Joined: 19 Mar 2015 Posts: 215
|
Posted: Sun Jun 21, 2015 6:24 pm Post subject: |
|
|
Alright some things are working, but some are not.
Here is /etc/conf.d/dmcrypt
Code: | swap=crypt-swap
source='/dev/sda2'
options='-c aes-xts-plain -h whirlpool -d /dev/urandom'
target=crypt-home
source=/secret/home.crypt
target=crypt-root
source=/secret/root.crypt
|
and I set the dmcrypt server to init level default via "rc-update add dmcrypt default".
I also set them up in /etc/fstab
Code: | /dev/mapper/crypt-root /root auto noatime 0 0
/dev/mapper/crypt-home /home auto noatime 0 0
/dev/mapper/crypt-swap none swap sw 0 0
|
The problem is that dmcrypt starts after fstab, so when fstab tries to mount the mapper devices they are not existant.
I am also still getting the "mkswap: warning: /dev/mapper/crypt-swap is misaligned" during boot and the results of /proc/meminfo and "free" both show no swap available.
Also should I be removing the swap entry from my rc-update it was there from when I first ran an unencrypted swap.
Code: | # rc-update
alsasound | boot
bootmisc | boot
consolefont | default
devfs | sysinit
dmcrypt | default
dmesg | sysinit
fsck | boot
hostname | boot
hwclock | boot
keymaps | boot
killprocs | shutdown
kmod-static-nodes | sysinit
lm_sensors | default
local | default
localmount | boot
loopback | boot
modules | boot
mount-ro | shutdown
mtab | boot
netmount | default
procfs | boot
root | boot
savecache | shutdown
---> swap | boot
swapfiles | boot
sysctl | boot
sysfs | sysinit
syslog-ng | default
termencoding | boot
tmpfiles.dev | sysinit
tmpfiles.setup | boot
udev | sysinit
urandom | boot
vixie-cron | default
|
Thanks again guys I'm getting closer to getting this to work. I feel as if there should be a wiki on this config file over explaining each option and common mistakes. There is a DM_Crypt wiki page but it makes no mention of this config file. |
|
Back to top |
|
|
abduct Apprentice
Joined: 19 Mar 2015 Posts: 215
|
Posted: Mon Jun 22, 2015 5:32 am Post subject: |
|
|
After some fiddling and researching which rc service mounts what I determined I need to add dmcrypt to the boot run level. My directories are mounting perfectly fine now and even though my swap still has a warning, it is showing up in free and /proc/meminfo.
Last few questions which would be helpful if answered:
How do you create a keyfile that dmcrypt can use? What settings should I use with gpg to create them?
When specifying a remote key such as that on a sd card or usb drive, does dmcrypt auto mount the device or do I need to write an init to mount it for me?
What does "remdev" do exactly?
Thanks for all the help so far!
Also is anyone allowed to contribute to the wiki? I'd like to add what I've learned to https://wiki.gentoo.org/wiki/Dm-crypt since it does not mention this nice automated config file and most of my questions should be documented more in depth either in the config file itself or in the wiki. |
|
Back to top |
|
|
abduct Apprentice
Joined: 19 Mar 2015 Posts: 215
|
Posted: Thu Jun 25, 2015 8:34 pm Post subject: |
|
|
Last few questions which would be helpful if answered:
How do you create a keyfile that dmcrypt can use? What settings should I use with gpg to create them?
When specifying a remote key such as that on a sd card or usb drive, does dmcrypt auto mount the device or do I need to write an init to mount it for me?
What does "remdev" do exactly?
Thanks! |
|
Back to top |
|
|
Massimo B. Veteran
Joined: 09 Feb 2005 Posts: 1768 Location: PB, Germany
|
Posted: Mon Oct 24, 2016 11:41 am Post subject: |
|
|
Hi, same question about encrypting swap via OpenRC and dmcrypt. Usually that was working for me, but currently it does not work: Code: | # grep -v "^#" /etc/conf.d/dmcrypt
dmcrypt_key_timeout=1
dmcrypt_retries=5
swap=_swap_crypt_1
source='/dev/disk/by-partuuid/5e974344-05'
options='--cipher aes-xts-plain64 --key-size 512 --key-file /dev/urandom'
pre_mount='mkswap -f ${dev} -L swap_crypt_1'
# grep swap /etc/fstab
LABEL=swap_crypt_1 none swap sw,pri=1 0 0
# find /etc/runlevels/ -name dmcrypt
/etc/runlevels/boot/dmcrypt |
However with this setup after bootup, nothing happend with, no crypt device and now swap. After restarting dmcrypt service, it creates at least the crypt device but does not activate swap.
Code: | # /etc/init.d/dmcrypt restart
dmcrypt | * WARNING: you are stopping a boot service
dmcrypt | * Removing dm-crypt mappings
dmcrypt | * _swap_crypt_1 ...
dmcrypt |Device _swap_crypt_1 is not active. [ !! ]
dmcrypt | * Setting up dm-crypt mappings ...
dmcrypt | * _swap_crypt_1 using: --cipher aes-xts-plain64 --key-size 512 --key-file /dev/urandom create _swap_crypt_1 /dev/disk/by-partuuid/5e974344-05 ... [ ok ]
dmcrypt | * pre_mount: mkswap -f /dev/mapper/_swap_crypt_1 -L swap_crypt_1 ... [ ok ] |
Code: | # find /dev/mapper -name "*crypt*"
/dev/mapper/_swap_crypt_1 |
I can swapon /dev/mapper/_swap_crypt_1 myself but the OpenRC process does not. _________________ HP ZBook Power 15.6" G8 i7-11800H|HP EliteDesk 800G1 i7-4790|HP Compaq Pro 6300 i7-3770 |
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
Posted: Mon Oct 24, 2016 12:32 pm Post subject: |
|
|
What if you write PARTUUID= instead of /dev/disk/by-partuuid/?
You can also use this method to give it an actual UUID or LABEL https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption#UUID_and_LABEL
Untested:
Code: |
# mkfs.ext2 -L cryptswap /dev/disk/by-partuuid/5e974344-05 1M
swap=cryptswap
source='LABEL=cryptswap'
options='--offset=2048 --cipher=aes-xts-plain64 --key-size=512 --key-file=/dev/urandom --keyfile-size=512'
/dev/mapper/cryptswap none swap 0 0
|
|
|
Back to top |
|
|
mvasi90 n00b
Joined: 16 Aug 2021 Posts: 19
|
Posted: Sat Dec 25, 2021 2:39 am Post subject: |
|
|
To avoid reviving old posts, here I leave a link to this recent post in which I expose two ways of SWAP re-encryption: during boot and during shutdown.
The recommended way to re-encrypt the SWAP partition is during the normal shutdown. If you re-encrypt the SWAP on the boot process (initramfs or initscripts) your SWAP data will be susceptible to forensic analysis after the shutdown because the encryption key is the same.[/post] |
|
Back to top |
|
|
|