Fedora Core 10: Encrypted Swap Partition

February 1, 2009 in GNU/Linux, Information Security | 3 comments

Further research shows that the swap partition in the standard Fedora 10 installation is not encrypted. This means that memory that has been swapped out to disk could be easily read using forensic tools. Worse case scenario could mean that sensitive information, such as account details, or encryption/decryption keys are stored on the disk between reboots.

So what to do? Well, let’s encrypt that bad-boy using dm-crypt. First off, it’s likely you’ve already been using your computer, and so for good measure, you should shred (overwrite) the current swap partition. In order to do that we’ll first need to turn swap off.

# swapoff -a

The default swap partition device will be /dev/VolGroup00/LogVol01. Shred it with:

# shred -v /dev/VolGroup00/LogVol01
shred: /dev/VolGroup00/LogVol01: pass 1/25 (random)

Now, if you already have encrypted other partitions. There’ll be an /etc/crypttab file, if not you should create one, and edit it. Append the following line, and save the file: swap /dev/VolGroup00/LogVol01 /dev/urandom swap,cipher=aes-cbc-essiv:sha256

This will re-create your swap partition at each reboot, and encrypt the partition using a random key. Next, edit the /etc/fstab file, and change this line: /dev/VolGroup00/LogVol01 swap swap defaults 0 0 to this: /dev/mapper/swap swap swap defaults 0 0

Once you reboot the system, the new swap configuration will take effect. Or, if you cherish your uptime, you can initiate an encrypted swap immediately.

# cryptsetup -d /dev/urandom create swap /dev/VolGroup00/LogVol01
# mkswap /dev/mapper/swap
Setting up swapspace version 1, size = 4095996 KiB
no label, UUID=********-****-****-****-************
# swapon -a

Congratulations, your swap partition is now encrypted and is unlikely to yield usable data under forensic interrogation.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • LinkedIn
  • email
  • Technorati
  • Reddit
  • StumbleUpon
  • TwitThis

Related posts:

  1. Fedora Core 10: LUKS and dm-crypt
  2. Mounting LUKS / dm-crypt Partitions in Microsoft Windows
  3. HowTo Play Old QuakeWorld Demos
  4. Publishing Public Keys to Key-Servers Could Earn You Jail-Time

Tags: , , , , , , ,

  1. J’s avatar

    J on February 2, 2009 at 8:53 am

    Not to diss the encryption nerds, but I refer you to: http://xkcd.com/538/

    ;o)

  2. yibble’s avatar

    yibble on February 2, 2009 at 9:07 am

    Very true, this is called ‘Rubberhose’ security, however, most civilised police forces will not resort to such tactics. There’s also the right not to incriminate oneself, although that one has been eroded by RIPA.

    Primarily basic drive encryption should be seen as a way to prevent data going stray in the event of hardware theft, as opposed to adequate defense against interogation. Unless we have deniable encryption, which I think FreeOTFE and TrueCrypt support.

  3. yibble’s avatar

    yibble on July 30, 2009 at 11:12 am

    Worth noting that this doesn’t seem to be an issue in Fedora Core 11, as the partition that that holds the SWAP LVG is encrypted.