Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Encrypting swap partition. Does it work as it should?

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
vol
Posts: 5
Joined: 2017-05-20 10:15

Encrypting swap partition. Does it work as it should?

#1 Post by vol »

Hello. This is my first post so go easy on me :) As I like my tinfoil hat I like to have every device encrypted. When I decided to install Debian 8 as my desktop OS encryption was implied. So let me start at the beginning:

1. I installed Windows 10 with 200GB partition out of 305GB (partition #2)
2. I encrypted it with bitlocker which made another partition (stealing space from partition #2) for booting and encrypting Windows (partition #1) at the beginning of the HDD

I just mentioned this partitions to make print screens below more understandable :)

3. I booted Debian installation and went for graphical installation
4. In partition manager I created 500MB partition (#3) and selected it as primary partition, mounted as boot
5. Then I created 100GB (#5) partition and chose "encrypted"
6. Then I created 5GB (#6) partition and choose "encrypted"
7. I saved changes and went to choosing what to do with encrypted partitions
8. I used #5 as ext4 partition and mounted root there
9. I used #6 partition as swap partition
10. #5 and #6 made "extended partition #4"
10. I installed rest of the stuff and started to use OS
11. So my config look like this

Partition #3 http://imgur.com/FzUwIIZ
Partition #4 http://imgur.com/yJlwvCA
Partition #5-1 http://imgur.com/xgQXmig
Partition #5-2 http://imgur.com/LhXHWBn
Partition #6-1 http://imgur.com/57ZHVsT
Partition #6-2 http://imgur.com/WufJVr8

12. After rebooting I have to provide password for #5, I provide it
13. After rebooting I have to provide password for #6, I provide it.
14. AND HERE IT IS! http://imgur.com/51KBwgX

So i typed the command as told and here it is:

Code: Select all

vol@vol-debian:~$ systemctl status systemd-cryptsetup@sda6_crypt.service
● systemd-cryptsetup@sda6_crypt.service - Cryptography Setup for sda6_crypt
   Loaded: loaded (/etc/crypttab)
   Active: failed (Result: exit-code) since Sat 2017-05-20 12:25:54 CEST; 30min ago
     Docs: man:crypttab(5)
           man:systemd-cryptsetup-generator(8)
           man:systemd-cryptsetup@.service(8)
  Process: 385 ExecStop=/lib/systemd/systemd-cryptsetup detach sda6_crypt (code=exited, status=1/FAILURE)
  Process: 382 ExecStartPost=/sbin/mkswap /dev/mapper/sda6_crypt (code=exited, status=1/FAILURE)
  Process: 364 ExecStart=/lib/systemd/systemd-cryptsetup attach sda6_crypt /dev/disk/by-uuid/9df317c7-bd1e-4c93-b2ba-5c30169e02fb none luks,swap (code=exited, status=0/SUCCESS)
 Main PID: 364 (code=exited, status=0/SUCCESS)
My question is? What should I do to make it work? Is my swap encrypted? Is it working?!

vol
Posts: 5
Joined: 2017-05-20 10:15

Re: Encrypting swap partition. Does it work as it should?

#2 Post by vol »

Anybody? Could you at least point me to the right direction?

User avatar
phenest
Posts: 1702
Joined: 2010-03-09 09:38
Location: The Matrix

Re: Encrypting swap partition. Does it work as it should?

#3 Post by phenest »

Is an encrypted swap absolutely necessary for you? Encryption is understandable, but why swap?
ASRock H77 Pro4-M i7 3770K - 32GB RAM - Pioneer BDR-209D

User avatar
phenest
Posts: 1702
Joined: 2010-03-09 09:38
Location: The Matrix

Re: Encrypting swap partition. Does it work as it should?

#4 Post by phenest »

What is the output of:

Code: Select all

sudo blkid | grep swap
ASRock H77 Pro4-M i7 3770K - 32GB RAM - Pioneer BDR-209D

User avatar
dasein
Posts: 7680
Joined: 2011-03-04 01:06
Location: Terra Incantationum

Re: Encrypting swap partition. Does it work as it should?

#5 Post by dasein »

vol wrote:I like my tinfoil hat...
Image

A 2005 study at MIT reveals the true danger of the "tinfoil" hat. The fact that this study never made it into any mainstream scientific journal is proof-positive of a global conspiracy to suppress the truth.

(Or maybe aliens fabricated those results, in order to get folks to remove their protective helmets??)

vol
Posts: 5
Joined: 2017-05-20 10:15

Re: Encrypting swap partition. Does it work as it should?

#6 Post by vol »

phenest wrote:Is an encrypted swap absolutely necessary for you? Encryption is understandable, but why swap?
As far as my academic knowledge from the university goes "paging" means that data from my RAM is copied to swap partition in order to free fast RAM for other operations yet have the data stored somewhere from previous operations.

If your HDD is encrypted, all files are decrypted by CPU on the fly using encryption key from RAM. So if the encryption key is stored on unencrypted swap because of paging, there is a major security hole in the system.

If I want to use hibernation, whole session from RAM is stored on swap, with a encryption key just waiting to be read.

Not mentioning that if my browser data sits on unencrypted SWAP I'm just giving it away.

Also this link:
https://askubuntu.com/questions/313564/ ... -partition

Shows that passwords can be stored on swap in plaintext…
phenest wrote:What is the output of:

Code: Select all

sudo blkid | grep swap
I'll check it as soon as I will get back from work! :) Thanks for trying to help.
dasein wrote:
vol wrote:I like my tinfoil hat...
Image

A 2005 study at MIT reveals the true danger of the "tinfoil" hat. The fact that this study never made it into any mainstream scientific journal is proof-positive of a global conspiracy to suppress the truth.

(Or maybe aliens fabricated those results, in order to get folks to remove their protective helmets??)
Government or Aliens… tough choice! Thanks for the link and pic, it made me smile :)

User avatar
phenest
Posts: 1702
Joined: 2010-03-09 09:38
Location: The Matrix

Re: Encrypting swap partition. Does it work as it should?

#7 Post by phenest »

vol wrote:If I want to use hibernation, whole session from RAM is stored on swap, with a encryption key just waiting to be read.
By whom? If you've hibernated, isn't your computer turned off?
vol wrote:So if the encryption key is stored on unencrypted swap because of paging, there is a major security hole in the system.
So you're going to encrypt the encryption key?

How many locks on your front door? Do you have CCTV? A guard dog? A security guard with a big gun? Barbed wire fencing around your property? A moat? Where does it end?

You definitely have a major hole somewhere.
ASRock H77 Pro4-M i7 3770K - 32GB RAM - Pioneer BDR-209D

vol
Posts: 5
Joined: 2017-05-20 10:15

Re: Encrypting swap partition. Does it work as it should?

#8 Post by vol »

If the encryption key is unencrypted in RAM it's allright. I just turn PC off and data is wiped. This way Evil Goverment, my tech savy evil twin brother or aliens can't have an access to anything unless they provide encryption key.

On the other hand when key is stored in a swap partition that is not encrypted (for example when in hibernation), turning PC off won't do the trick. Everybody can simply take out the hard drive, make an image of the swap partition and extract key from the image. That image would be useless if only swap was encrypted.

If you don't encrypt swap you basically make it harder to access your data, but not impossible (which is the sole point of encryption!). When done right encryption makes it impossible to read your private data.

So the problem starts when the encryption keys are stored on nonvolatile memory that by itself is not encrypted. It's Tinfoil 101: Unencrypted data should only be stored on volatile memory. That's why you don't have a 'rootpassword.txt' on your desktop, yet when you provide your password it's remembered (inside RAM) in terminal for the whole terminal session. You end session and the password is wiped from volatile memory forever leaving no traces. :)

But all jokes aside - if it just takes a little bit more work for attacker to extract your data only because you ommited encrypting swap, why even bother with encryption? What's next? Using encryption software with known backdoors? Doing it (encryption) wrong makes it (decryption) a little bit more diffucult to the attacker. Sure, some attackers will let go at the first signs of struggle… but doing it right makes it impossible for even the most tech savy attacker (unless Aliens have quantum computing of course!).

vol
Posts: 5
Joined: 2017-05-20 10:15

Re: Encrypting swap partition. Does it work as it should?

#9 Post by vol »

Sorry for the delay.
phenest wrote:What is the output of:

Code: Select all

sudo blkid | grep swap
OUTPUT:

Code: Select all

/dev/mapper/sda6_crypt: UUID="590cf396-192d-4739-93b2-f0a6d6955078" TYPE="swap"


Post Reply