SLACKWARE ENCRYPTED SWAP

2013-01-22 21:36 | by WD Milner | Full Article | Comments

Enabling Encrypted Swap on Slackware - A How-To

Introduction

When available memory drops below a certain point, the Linux kernel will swap the contents of memory pages to swap space.

This content may include sensitive information such as passwords, usernames, PINS, banking or other identity information. This data is usually in plain text and so can be read without effort. Encrypting the system swap space protects its contents against unauthorized access and attack should access to the hard drive be compromised or physically removed.

Setting up Encrypted Swap

The following discussion will use several drive and partition designations. Be sure when implementing the procedures to adjust these to suit your own system.

The steps that follow can be used when initially setting up a system, or after a system is already running. If the latter, the first step required to encrypt the swap partition is to temporarily turn off swap. Close all unnecessary applications to free used memory and thereby discontinue the use of the swap space. While many applications can be configured to not use swap, this does not apply to the kernel. If the swap space is still being used, you will be unable to turn off swap.

Though not necessary, perhaps the simplest approach is to boot the system into single user mode. This results in minimal services running and a single root shell.

Swap can then be turned off using the following command:

# swapoff -a

To ensure a completely clean and sterile swap space, you must overwrite the previously used swap partition with random data. This will help prevent the recovery of any data written to swap before the encryption process. There are several ways to do this.

Perhaps the easiest is using the shred command which overwrites the specified file or device with random data

# shred -v /dev/sdaX

Alternatively, overwriting the space with randow data from either /dev/random or /dev/urandom

# dd if=/dev/random of=/dev/sdaX bs=512

or

# dd if=/dev/urandom of=/dev/sdaX bs=512

Note: that /dev/urandom is not quite as secure however it is significantly faster than using /dev/random.

The next step is to create a file, if it doesn't already exist, named crypttab in /etc. The specifics for crypttab can be found in the man page.

A crypttab entry as follows creates an encrypted block device named swap at /dev/mapper using the partition /dev/sdX as the base block device and /dev/random as the encryption password using AES encryption and variable initialization vectors.

swap /dev/sdaX /dev/random swap,cipher=aes-xts-essiv:sha256

You then need to edit /etc/fstab to point to the encrypted block device, /dev/mapper/swap as opposed to /dev/sdaX.

For example a current entry of:

/dev/sdaX swap swap defaults 0 0

becomes:

/dev/mapper/swap swap swap defaults 0 0

Activating Encrypted Swap

You can now enable encrypted swap either by rebooting the system or by issuing the following commands at the console prompt.

# cryptsetup -d /dev/random create swap /dev/sdaX
# mkswap /dev/mapper/swap
# swapon -a

For detailed information on specific commands please see the individual manual (man) pages.

This document has been submitted to the Slackware Documentation Project.

Categories: ,



CLOUD RELIABILITY

2012-12-28 16:03 | by WD Milner | Full Article | Comments

The "Cloud" is supposed to be a flexible, resilient and redundant resource for computing power and data storage. But just how reliable is it?

Categories: ,



WE’VE GOT OUR EYES ON YOU !

2012-11-28 18:06 | by WD Milner | Full Article | Comments

Think you're location is private because you turned GPS off in your cellular telephone? Think again.

Categories: ,



A PRAYER OF REMEMBRANCE

2012-11-11 10:29 | by WD Milner | Full Article | Comments

Gracious God, our help in ages past, our support in present times and our hope in years to come; in memory and in hope we come before you.

Categories: ,


Previous content can be found in the Archives.



Céad Míle Fàilte. A h-uile là sona dhuibh ’s gun là idir dona dhuib.
(100,000 Welcomes. May all your days be happy ones.)

Another day of pushing electrons . . . welcome to my corner of the internet. It's a busy place out there and this is a small pool of quietude amongst the flash and bustle of the web; what I like to refer to as my "castle in cyberspace". The site is designed to maximize ease of content use. After all, content is what you browse the web for . . . isn't it?


Milner Manor, a.k.a. The Birches, located on Cape Breton Island, is the personal web site of W. Dean Milner and contains an eclectic collection of articles and musings of various sorts as well as references to other interesting sites.

To read more about the author and the name of the site, please visit the About page. Also available is a page on the Milner Surname. For Amateur Radio information consider visiting The Yak Shack.


If you are interested in hosting are are looking for a reliable host I can recommend A Small Orange (ASO). You can check out their services by clicking the image below.

A Small Orange Logo

Milner.ca at Technorati

Support Our Troops

Fair Copyright Canada

Net Neutrality Link Icon

EFF Bloggers Rights

Save the Manuals

STOP Censorship ! >>

SANS InfoCon Status: GREEN

I'll be celebrating 20 years of Linux with The Linux Foundation!

Vote for Internet Campaign





Announcements:

January 17, 2012

The wheels of government grind slowly, including those maintaining registries and websites but my Grandfather's record catch for speckled trout is finally on the Nova Scotia Sport Fishing Registry web site.

June 21, 2011

The swapshop (fleamarket) section is being slowly updated after being neglected for a while in favour of the Virtual Fleamarket pages.


Today's Quote

“Tradition means giving votes to the most obscure of all classes, our ancestors. It is the democracy of the dead. Tradition refuses to submit to that arrogant oligarchy who merely happen to be walking around. ”
—  Gilbert K. Chesterton

Recent Articles


Ex Machina
(From the other side of nowhere)

A useful article on creating a bootable USB flash drive is available at TechRepublic.



Relief Appeals
Canadian Red Cross
Canadian Heart and Stroke Foundation
Canadian Diabetes Association



 

 
 
 Help to FIGHT spam!
 • 
  •
•••