# Encrypt your swap devices, the safe and easy way

## Sachankara

"Howdy" folks,  :Wink: 

To make a long story short: I've been reading lots of posts on this forum on how to enhance the security on Linux using encrypted swap devices, but found no guide or script that was easy yet "complex" enough for me. They all required you to either know in advance which partitions to encrypt (something that might change between reboots, thus f*cking up your newly connected device's partitions) or required using old obscure loop devices. Thus I started to write my own script which encrypts all available mounted swap devices at boot using "Device Mapper". The script is also able to modprobe the necessary cipher modules, in case they aren't available when running the service.

Why encrypted swap devices?

Everytime you log onto your computer the password is sent to PAM (Pluggable Authentication Module), which in turn encodes the password using a special algorithm. The encoded password is then compared to other pre-encoded passwords in a hidden database, and if it's a match - grants you the access to your user. And here lies the problem: PAM stores the password in plain text in the memory. Although the password is quite (very) safe within the memory, it can turn into a huge security problem if the memory residing the password(s) is cached to the swap device. An unauthorized user can then scan the swap devices for available passwords and, in worst case, gain full access to your system. This is something we don't want (don't we?  :Wink: ).

The solution is not so difficult as one might believe. Simply encrypt the swap devices using random pass-phrases that the root user(s) doesn't even have access to. Each swap device gets its own random pass-phrase every time it's mounted/enabled, so the pass-phrase is never the same (well, it could happend, but the likelyhood/risk is extremely small). This ensures that most people won't be able to read the data on the swap devices. (It is however not possible to protect your swap devices in case someone has the ability to directly read your kernel memory [correct me if I'm wrong], and if someone do, no non-military hardware in the world is going to protect your data. We're talking about encryption down to CPU process levels here)

What do I need to enable swap encryption?

Well, you need a Linux kernel with LVM/Device Mapper and cryptographic support. You'll also need two applications (device-mapper and cryptsetup). Besides that you need to have compiled your own kernel before and also have one or more working swap devices set up in /etc/fstab ...

This guide is first and foremost written for Gentoo Linux using a 2.6 kernel. But it should work on other distributions too, with some modifications to the script setup. It should also work with some newer versions of Linux 2.4, but I haven't tried it personally.

---

Step 1:

Compile the Linux kernel with support for LVM/Device Mapper and cryptographic suppport.

```

$ su -

(Type your root password)

$ cd /usr/src/linux

(Make sure that /usr/src/linux points to your kernel source directory)

$ make menuconfig

```

Kernel configuration:

```

Device Drivers ---> Multi-device support (RAID and LVM) --->

[*] Multiple devices driver support (RAID and LVM)

<M>   Device mapper support

<M>     Crypt target support

Cryptographic options --->

<M>   AES cipher algorithms

```

```

$ mount /boot

(If you have /boot on a separate partition)

$ make && make modules_install install && modules-update

$ echo "dm-mod" >> /etc/modules.autoload.d/kernel-2.6

$ exit

```

Step 2:

Install the necessary applications.

```

$ sudo emerge device-mapper cryptsetup-luks

```

Step 3:

Install the service script.

```

$ su -

$ cd /usr/src/

$ wget http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r19.tgz

$ wget http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r19.tgz.md5

$ md5sum -c swap-encryption-r19.tgz.md5

$ tar xvfz swap-encryption-r19.tgz

$ cd swap-encryption-r19

$ make install

$ rc-update add swap-encryption default

$ exit

```

Step 4:

Reboot the computer for Device Mapper (the kernel part) to work.

```

$ sudo /sbin/shutdown -r now

```

---

That's all folks...  :Razz:  From now on, your swap devices will be automatically encrypted if they are valid swap devices mounted/enabled from /etc/fstab or by hand.

---

This document is under the "Creative Commons - Attribution / Share Alike" licens. ( http://creativecommons.org/licenses/by-sa/2.0/ )

---

By the way, here's the script code for 1.1.10. In case you don't want to download it, just to read it. (Remember, it might not always be up-to-date. Look for the link in the guide to get the latest version. It was version 1.2.1 by the time this post was last edited.)

```

#!/sbin/runscript

# Copyright 2005, Fredrik Blom - hdp03bfr"at"syd.kth.se

# Distributed under the terms of the GNU General Public License v2

# Ver 1.1.10 2005-01-14

# This script searches for all active swap devices and encrypts them

# via "Device Mapper". Why would anyone want that? Because systems like

# PAM (Pluggable Authentication Module) stores passwords in plain text

# within the computer RAM, and if the memory is filled up, some parts

# might get moved to the swap (devices/partitions) where it can easily

# be retrieved. By encrypting the swap, you'll add an extra layer of

# security to your Linux system.

# Known problems:

#  - Can't reinitialize a encrypted device if it wasn't properly

#    shut down. To do so, please "redo" the swap device with mkswap

#    and swapon and then start the service.

# The cipher algorithm you want to use for the swap encryption

# Default: aes

# (AES is a very strong, military grade cipher algorithm, with

# only ~2-3% processing overhead.

# See: http://csrc.nist.gov/CryptoToolkit/aes/ )

CIPHER=aes

# If you're extra paranoid, enable this to fill the swap devices

# with random garbage when stopping the service. Warning: It

# may take quite a long time to stop the service with this

# option enabled depending on the size and speed of the swap

# devices. It should go faster on VIA Epia processors and similar

# with hardware accelerated encryption, through quantum mechanics,

# thermal noise, radiation, etc.

#

# Warning: Enabling this while using grsecurity with "Larger

#          entropy pools", will consume huge amounts of memory.

#          So make sure that you have more than 512 MB of memory

#          before using this.

#          If you don't know what grsecurity is, you don't have it.

#

# Default: 0

PARANOIA_MODE=0

# Don't change these three variables

DM_MAPPER=/dev/mapper/

DM_NAME=swap

MAX_KEYSIZE=1024

depend() {

   need urandom

   after urandom modules

}

encrypt_device() {

   # Synopsis: <device-string> <device-mapper-string> <key-string>

   # Description: 1. Disables the active swap device.

   #              2. Creates a new encrypted device

   #              3. Converts the encrypted device to swap storage

   #              4. Enables the newly encrypted swap device

   #

   # TODO/FIXME: Should we initialize the newly encrypted swap device

   #             using the same priority as the original non-

   #             encrypted device? All drives gets the same priority

   #             at the moment (bad idea?)

   swapoff $1

   echo "$3" | cryptsetup -c $CIPHER create "${2#$DM_MAPPER}" "$1"

   mkswap $2 > /dev/null

   swapon -p 0 $2

   eend $?

}

restore_device() {

   # Synopsis: <device-mapper-string>

   # Description: 1. Disables the active DM swap device

   #              2. Removes the DM device

   #              3. If PARANOIA_MODE is enabled, fills the

   #                 original device with garbage data

   #              4. Convert the original device to swap storage

   #              5. Re-enables the old non-encrypted swap device

   #

   # TODO/FIXME: Should we restore the swap devices with the same

   #             priority as they had when they were encrypted?

   #             All devices get the same priority at the moment,

   #             which might not be the best solution. Please

   #             enlighten me, for I don't really know.

   dev="/dev/${1#$DM_MAPPER$DM_NAME}"

   einfo "  Restoring $1 as $dev"

   swapoff $1

   dmsetup remove $1

   if [ $PARANOIA_MODE -eq 1 ]

   then

      einfo "    Paranoia mode on $dev"

      dd if=/dev/urandom of=$dev bs=1M 2>/dev/null

      einfo "    Garbage data written"

   fi

   mkswap $dev > /dev/null

   swapon -p 0 $dev

   eend $?

}

find_cipher() {

   # Description: Searches for the requested cipher. Try to

   #              modprobe it if it's not found.

   #

   # TODO/FIXME: There must be some way to make this code

   #             look better while being faster. Bash is

   #             very flexible, but I'm still learning things.

   if [ -z "`grep "$CIPHER" /proc/crypto | \

   while read ciphers

   do

      echo "$ciphers"

   done`" ]

   then

      ewarn "  Cipher \"$CIPHER\" not found. Trying to modprobe"

      modprobe "$CIPHER" 2>/dev/null

   fi

   eend $?

}

get_keysize() {

   # Synopsis: <empty-string>

   # Description: Scans /proc/crypto for the maximum requested

   #              cipher key size

   #

   # TODO/FIXME: Speed up the scan by using more efficient code

   found=0

   eval "$1=\"`cat /proc/crypto | \

   while read ciphers

   do

      if echo $ciphers | grep -q "$CIPHER"

      then

         found=1

      fi

      if [ $found -eq 1 ]

      then

         if echo $ciphers | grep -q "max keysize"

         then

            echo $ciphers | awk '{print $4}'

         fi

      fi

   done`\""

   eend $?

}

generate_key() {

   # Synopsis: <empty-string>

   # Description: Pipe data from the *nix urandom device to

   #              base64. By doing so, creating a keystring

   #              used for device encryption.

   #

   # Notice: Maximum keysize = 1024 bytes

   einfo "    Generating key"

   eval "$1=\"`head -c 747 /dev/urandom | base64 | tail -c $keysize`\""

   eend $?

}

activate() {

   # Synopsis: <device-string>

   # Description: 1. Generate a keystring for the particular

   #                 swap device that we wish to encrypt

   #              2. Encrypt the device using the keystring

   #                 and requested cipher

   einfo "  Found swap device $1"

   key=""

   generate_key key

   ewarn "$key"

   einfo "    Encrypting device as $DM_MAPPER$DM_NAME${1#/dev/}"

   encrypt_device "$1" "$DM_MAPPER$DM_NAME${1#/dev/}" "$key"

   eend $?

}

start() {

   # Description: 1. Search /proc/crypto and see if the requested

   #                 cipher is available.

   #              2. Retrieve the maximum keysize used for the

   #                 device encryption.

   #              3. Scan the system for active swap devices and

   #                 encrypt them.

   #

   # TODO/FIXME: Place the if-test within the function get_keysize?

   ebegin "Enabling swap encryption"

   find_cipher

   keysize=""

   get_keysize keysize

   if [ "$keysize" -gt "$MAX_KEYSIZE" ]

   then

      ewarn "  Requested keysize is too large, correcting..."

      keysize=$MAX_KEYSIZE

   fi

   grep '/' /proc/swaps | \

   while read devices

   do

      if echo $devices | grep -qv "$DM_MAPPER"

      then

         activate $devices

      fi

   done

   eend $?

}

stop() {

   # Description: Scan system for active encrypted DM swap

   #              devices and disable them, while restoring

   #              the old ones.

   ebegin "Restoring encrypted swap devices"

   grep "$DM_MAPPER$DM_NAME" /proc/swaps | \

   while read devices

   do

      restore_device $devices

   done

   eend $?

}

restart() {

        # Description: Restart the service

        ebegin "Restarting swap encryption"

        svc_stop

        svc_start

        eend $?

}

# Changelog:

# 1.1.10 2005-01-14

# - Changed so generate_key can output a maximum of 1024

#   bytes instead of the previous 32 bytes. The old method

#   used md5sum while the new one uses base64. 1024 bytes

#   should be sufficiant for most ciphers.

#   I'd like to thank "MaDsKiLLz" on the Gentoo Forums

#   for the help with generating larger keys.

# 1.1.9 2005-01-14

# - Small changes to the if-test that makes sure that the

#   key length isn't too long.

# - Fixed some of the function comments

# 1.1.8 2005-01-14

# - get_keysize doesn't search for the minium pass-phrase

#   lenght anymore, instead it looks for the maximum length.

#   Although it still can't handle pass-phrases longer than

#   32 bytes.

# 1.1.7 2005-01-14

# - Added some todo/fix comments.

# 1.1.6 2005-01-13

# - Script doesn't re-read /proc/crypto anymore (to search

#   for the minimum keysize each time a new pass-phrase is

#   generated).

# Earlier versions:

# No changelog available

```

----------

## rkrenzis

Don't forget to add the "aes-i586" module to your autoload config.

File: /etc/modules.autoload.d/kernel-2.6

Otherwise the script will fall flat on its face.  Possibly an enhancement request to the script writer to modprobe for aes-i586.

Otherwise the directions work great!

----------

## angelacb

Neat script. I used to just put a few commands in local.start and local.stop.

Nice howto by the way.

Best Regards,

----------

## BlackEdder

One note: for the 2.6 kernel you don't need all this: 

```
make && make install && make modules && make modules_install && modules-update
```

```
make && make modules_install && make install
```

 is enough

----------

## Sachankara

 *rkrenzis wrote:*   

> Don't forget to add the "aes-i586" module to your autoload config.
> 
> File: /etc/modules.autoload.d/kernel-2.6
> 
> Otherwise the script will fall flat on its face.  Possibly an enhancement request to the script writer to modprobe for aes-i586.
> ...

 Hmm...  :Confused:  In which version of Linux is the aes module called aes-i586? I have two computers running Linux 2.6.7 with the Gentoo Hardened patches, and the module is simply called "aes" on them. Would it be possible for you to post your output from /proc/crypto ?

 *angelacb wrote:*   

> Neat script. I used to just put a few commands in local.start and local.stop.
> 
> Nice howto by the way.
> 
> Best Regards,

 Thanks...  :Smile: 

If you have any suggestions that might improve the script, please let me know.

 *BlackEdder wrote:*   

> One note: for the 2.6 kernel you don't need all this: 
> 
> ```
> make && make install && make modules && make modules_install && modules-update
> ```
> ...

 I know, I was just a bit too "paranoid". I think I'll change it the way you suggested.  :Smile:  Although, I don't think there's any harm keeping "modules-update".

----------

## MaDsKiLLz

if you want to use longer passwords you could use base64.

```

head -c 747 /dev/urandom | base64

```

this is how many bytes it'll print out

```

powerspec root # head -c 747 /dev/urandom | base64 | wc -c

1024

powerspec root 

```

so that'll print out 1024 usable bytes

=)

----------

## Sachankara

 *MaDsKiLLz wrote:*   

> if you want to use longer passwords you could use base64.
> 
> ```
> 
> head -c 747 /dev/urandom | base64
> ...

 Thank you for the advice... I added it to the script...  :Smile: 

----------

## tuxophil

 *MaDsKiLLz wrote:*   

> if you want to use longer passwords you could use base64.
> 
> ```
> 
> head -c 747 /dev/urandom | base64
> ...

 

Hmm, here's an easier method that doesn't require base64 (I don't even have that executable on my full blown desktop system!?): Just filter out unwanted characters with tr.

Try these:

```
tr -cd 0-9a-f < /dev/urandom | head -c 100

tr -cd [:graph:] < /dev/urandom | head -c 100
```

Cheers

----------

## Sachankara

 *gschintgen wrote:*   

>  *MaDsKiLLz wrote:*   if you want to use longer passwords you could use base64.
> 
> ```
> 
> head -c 747 /dev/urandom | base64
> ...

 Oh, very nice...  :Smile:  I modified the script once more to use one of your methods which doesn't require base64...

----------

## pulverizer

Nice script. However I get this error at boot:

```
Enabling swap encryption...

Found swap device /dev/ide/host0/bus0/target0/lun0/part2

  Generating key

/sbin/rc: eval: line 1: syntax error near unexpected token `&'

/sbin/rc: eval: line 1: `key=""!g}B+s>EK|&NB|(5LO/-TLxk!cZRB"3"'

*    Encrypting device as /dev/mapper/swapide/host0/bus0/target0/lun0/part2

Command failed: Invalid argument

/dev/mapper/swapide/host0/bus0/target0/lun0/part2: No such file or directory

swapon: cannot stat /dev/mapper/swapide/host0/bus0/target0/lun0/part2: No such file or directory

```

Any ideas? Thanks.

----------

## lysergicacid

got almost the same prob 

```
-(~:#)-> /etc/init.d/swap-encryption start

 * Enabling swap encryption ...                                                                                             [ ok ]

 *   Found swap device /mnt/swap/swap.img

 *     Generating key                                                                                                       [ ok ]

 * fpKHobOKT29q+KngAarY7NJdBCQ8MG

 *     Encrypting device as /dev/mapper/swap/mnt/swap/swap.img

Command failed: Invalid argument

/dev/mapper/swap/mnt/swap/swap.img: No such file or directory

swapon: cannot stat /dev/mapper/swap/mnt/swap/swap.img: No such file or directory                                           [ !! ]

&

/etc/init.d/swap-encryption: line 218: [: 32

56: integer expression expected

 *   Found swap device /mnt/swap/swap.img

 *     Generating key

tail: cannot open `56' for reading: No such file or directory                                       [ ok ]

 * 

 *     Encrypting device as /dev/mapper/swap/mnt/swap/swap.img

Command failed: Invalid argument

/dev/mapper/swap/mnt/swap/swap.img: No such file or directory

swapon: cannot stat /dev/mapper/swap/mnt/swap/swap.img: No such file or directory                   [ !! ]

```

   any ideas why plz somone i have the apps installed and modules loaded 

```
 Module                  Size  Used by

aes_i586               39412  0 

dm_mod                 64000  0 

w83627hf               30432  0 

blowfish                8512  0

Calculating dependencies ...done!

[ebuild   R   ] sys-libs/device-mapper-1.00.19-r1  0 kB 

[ebuild   R   ] sys-fs/cryptsetup-0.1  0 kB 
```

 udev fs prob maybe ? permission or something ?

----------

## Sachankara

 *pulverizer wrote:*   

> Nice script. However I get this error at boot:
> 
> ```
> Enabling swap encryption...
> 
> ...

 

 *lysergicacid wrote:*   

> got almost the same prob 
> 
> ```
> -(~:#)-> /etc/init.d/swap-encryption start
> 
> ...

 The script create keys which might contain characters like `, ' and " and thus it won't always work... I'll fix it in a sec...  :Smile: 

----------

## Sachankara

The new version with the key generation fix is available now...  :Smile: 

http://joshua.haninge.kth.se/~sachankara/swap-encryption-1.1.13.tar.bz2

----------

## Sachankara

Guess I was blind... Now I see your other problems, which I'll have to fix as soon as I can. (I sort of assumed everyone mapped their swap devices under /dev/<device>, which wasn't very bright. Perhaps I should just bump the script down to version 0.1...  :Razz: )

----------

## Hasw

 *Sachankara wrote:*   

> Hmm...  In which version of Linux is the aes module called aes-i586? I have two computers running Linux 2.6.7 with the Gentoo Hardened patches, and the module is simply called "aes" on them. Would it be possible for you to post your output from /proc/crypto ?
> 
> 

 

IIRC aes-i586 only available since 2.6.8.1. If you using aes as disk encryption (not swap, unless you swap very much), you should use it, because it's lot faster than the not i586 optimized module.

```

server1 bin # cat /proc/crypto 

name         : aes

module       : aes_i586

type         : cipher

blocksize    : 16

min keysize  : 16

max keysize  : 32

```

----------

## Sachankara

 *Sachankara wrote:*   

> Guess I was blind... Now I see your other problems, which I'll have to fix as soon as I can. (I sort of assumed everyone mapped their swap devices under /dev/<device>, which wasn't very bright. Perhaps I should just bump the script down to version 0.1... )

 Quoting myself, ehh...  :Smile:  Anyway, a new version is now available with the bugfix which makes the script able to encrypt all sorts of swap devices. The only devices it won't mount are under /dev/mapper...

http://joshua.haninge.kth.se/~sachankara/swap-encryption-1.1.14.tar.bz2

----------

## Sachankara

 *Hasw wrote:*   

>  *Sachankara wrote:*   Hmm...  In which version of Linux is the aes module called aes-i586? I have two computers running Linux 2.6.7 with the Gentoo Hardened patches, and the module is simply called "aes" on them. Would it be possible for you to post your output from /proc/crypto ?
> 
>  
> 
> IIRC aes-i586 only available since 2.6.8.1. If you using aes as disk encryption (not swap, unless you swap very much), you should use it, because it's lot faster than the not i586 optimized module.
> ...

 Ah, I'll look into it. See if I can implement several ciphers into the script tomorrow...

Edit: Actually, modprobing "aes" on 2.6.10 runs "aes-i586" automatically...

----------

## lysergicacid

ok having tried other script out too https://forums.gentoo.org/viewtopic.php?t=277223&highlight= i got this reply http://thread.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/674

seems its not good to encrpt a swap FILE yes devices but not file so guess this is why it wouldnt work for me

----------

## pulverizer

New version works great.  :Very Happy:  Nice job!

----------

## Sachankara

 *pulverizer wrote:*   

> New version works great.  Nice job!

 Thanks... I'm sorry for any annyoing problems the earlier scripts might have caused. Please let me know if there's anyway I can improve the script...  :Smile: 

----------

## lysergicacid

deleted my swap file and set a particion and all works fine  :Smile:  nice script  :Smile:  thank you

----------

## Sachankara

 *lysergicacid wrote:*   

> deleted my swap file and set a particion and all works fine  nice script  thank you

 Well, the script was faulty from the start anyway. It only worked with swap devices under /dev/<device>. It will be able to handle swap images from now on, but there's still the race condition problem within the kernel when using images and not partitions... Anyway, you already know that...  :Smile: 

By the way, thanks...  :Smile: 

----------

## fuoco

looks nice though I haven't tried yet.

Any chance to get this integrated with the hardened project? As quite some here I'm using gentoo hardened too, and I think that hardened lacks a bit of security in this area, also /home encryption, which is the most vulnerable though most important component on most desktop/laptop systems.

So I think it would be nice to have this as official part of hardened. Easily adds another security layer. An ebuild to it would be nice too.

----------

## Coenobite

Fantastic script! I'm having a bit of trouble using it with the serpent cipher though...

I'm running Gentoo on a laptop with kernel 2.6.10 and version 1.1.14 of the swap-encryption script. I rebuilt the kernel adding serpent as a module, I changed the $CIPHER variable in the script to 'serpent' and added the serpent module to /etc/modules.autoload.d/kernel-2.6. Then I installed the script in /etc/init.d/ and added it to my default runlevel with rc-update. After rebooting I got this message during the boot sequence:

```
 * Enabling swap encryption...

 *   Found swap device /dev/hda3

 *     Generating key

head: cannot open '32' for reading: No such file or directory

 *     Encrypting device as dev-hda3
```

I then rebuilt the kernel with aes_i586 as a module, changed the script's $CIPHER variable back to the default 'aes' and added 'aes_i586' to /etc/modules.autoload.d/kernel-2.6. After rebooting it worked perfectly  :Smile:  - though with aes and not serpent   :Razz: 

I don't mind AES though, it's more than adequate for my purposes and I'm also planning on encrypting my root filesystem using dm-crypt with AES as the cipher. This would be safe right? Considering I'm already using dm-crypt to encrypt my swap partition.

Oh, and I rebuilt my kernel, statically adding CONFIG_CRYPTO_AES_586 and removing aes from /etc/modules.autoload.d/kernel-2.6

Thanks for a great script!   :Very Happy: 

----------

## Sachankara

 *Coenobite wrote:*   

> Fantastic script! I'm having a bit of trouble using it with the serpent cipher though...
> 
> I'm running Gentoo on a laptop with kernel 2.6.10 and version 1.1.14 of the swap-encryption script. I rebuilt the kernel adding serpent as a module, I changed the $CIPHER variable in the script to 'serpent' and added the serpent module to /etc/modules.autoload.d/kernel-2.6. Then I installed the script in /etc/init.d/ and added it to my default runlevel with rc-update. After rebooting I got this message during the boot sequence:
> 
> ```
> ...

 Thank you very much...  :Smile: 

I was unable to reproduce the "bug" for now, but I'll try it on another computer tomorrow and fix the problem as soon as possible.  :Smile: 

----------

## Sachankara

 *Coenobite wrote:*   

> Fantastic script! I'm having a bit of trouble using it with the serpent cipher though...
> 
> I'm running Gentoo on a laptop with kernel 2.6.10 and version 1.1.14 of the swap-encryption script. I rebuilt the kernel adding serpent as a module, I changed the $CIPHER variable in the script to 'serpent' and added the serpent module to /etc/modules.autoload.d/kernel-2.6. Then I installed the script in /etc/init.d/ and added it to my default runlevel with rc-update. After rebooting I got this message during the boot sequence:
> 
> ```
> ...

 Fixed the problem now... Now it should work with most, if not all ciphers...  :Smile: 

http://joshua.haninge.kth.se/~sachankara/swap-encryption-1.1.18.tar.bz2

----------

## Coenobite

Great!   :Very Happy: 

I'm backing up my root filesystem now, since I'm planning to encrypt it with dm-crypt. If everything goes well (knock on wood  :Razz: ) I'll reload the swap-encryption script with the serpent cipher again and see how it goes.

Thanks for the quick update, btw.

----------

## linux_girl

could u make an url like http://joshua.haninge.kth.se/~sachankara/swap-encryption-latest.tar.bz2

and add at the bottom of the script:

if internet is up depends on net

```
ping -c3 www.google.fr && wget http://joshua.haninge.kth.se/~sachankara/swap-encryption-latest.bz2  -O-|tar xjvf - -C /etc/init.d/

```

so every time u reboot u use the last version  :Smile:   :Laughing: 

and remember kid pro allways make an URL (sym link) that is version independent like the above  :Laughing: 

----------

## Khaine

This script sounds really cool, I will try it out next time I install gentoo 

 :Smile: 

----------

## Sachankara

 *Coenobite wrote:*   

> Great!  
> 
> I'm backing up my root filesystem now, since I'm planning to encrypt it with dm-crypt. If everything goes well (knock on wood ) I'll reload the swap-encryption script with the serpent cipher again and see how it goes.
> 
> Thanks for the quick update, btw.

 No problem... I just want the script to work as it should.  :Wink:  Good luck by the way...

----------

## Sachankara

 *linux_girl wrote:*   

> could u make an url like http://joshua.haninge.kth.se/~sachankara/swap-encryption-latest.tar.bz2
> 
> and add at the bottom of the script:
> 
> if internet is up depends on net
> ...

 I've added the symlink, but I don't understand what you mean about the other thing. Do you mean the script should be able to update itself each time it's stopped?

----------

## linux_girl

yeah that is what the code means congrats u are a geek   :Laughing:   :Laughing:   :Laughing:   :Laughing:   :Laughing:   :Laughing: 

----------

## Sachankara

 *linux_girl wrote:*   

> yeah that is what the code means congrats u are a geek       

 Ehh, okay?

I'll think about adding the auto-update code. It doesn't seem really useful. It's best to let the user update by himself, so any changes can be audited before "installation"... That's at least what I prefer to do. If someone has a good "counter argument", please let me know...

----------

## Sachankara

 *Khaine wrote:*   

> This script sounds really cool, I will try it out next time I install gentoo 
> 
> 

 If you do so, please let me know what you think of it, and if I should make any improvements...  :Wink:  Good luck...  :Smile: 

----------

## linux_girl

i get some error:

```

Found swap device /dev/ide/host0/bus0/target0/lun0/part13

Generating key

Encrypting device as dev-ide-host0-bus0-target0-lun0-part13

Command faild :invalid argument 

/dev/mapper/swapdev-ide-host0-bus0-target0-lun0-part13: No sutch file or directorie

swapon canot stat /dev/mapper/swapdev-ide-host0-bus0-target0-lun0-part13:

```

how can u get the startup log ??

after startup i:

/etc/init.d/swap-encryption start

i get no errors  :Laughing: 

my swap is /dev/hda13 

```

mount|grep swap

```

show no swap

----------

## Sachankara

 *linux_girl wrote:*   

> i get some error:
> 
> ```
> 
> Found swap device /dev/ide/host0/bus0/target0/lun0/part13
> ...

 1. Are you sure that you've installed all necessary user-space applications?

2. There's a FAQ in the script answering just that "problem". You need to "re-enable" the swap device if it wasn't properly restored by the script. Just run "mkswap /dev/hda13 && swapon /dev/hda13"...

----------

## linux_girl

the dev-mapper was missing

i tried :

```

$swapoff /dev/hda13

$swapoff /dev/hda13

swapoff: /dev/hda13: Invalid argument

 $ mkswap /dev/hda13

Setting up swapspace version 1, size = 1028120 kB

 $ mkswap /dev/hda13

Setting up swapspace version 1, size = 1028120 kB

$swapon /dev/hda13

$swapon /dev/hda13

swapon: /dev/hda13: Device or resource busy

$mount|grep sw|wc

    0       0       0

```

and now rebooting

----------

## Sachankara

 *linux_girl wrote:*   

> the dev-mapper was missing
> 
> i tried :
> 
> ```
> ...

 I think you need to remove the "Device Mapper" device that the script created. "dmsetup remove </dev/device-mapper/name>"...

----------

## Sachankara

New version available.  :Smile:  Added more error checking...

http://joshua.haninge.kth.se/~sachankara/swap-encryption-1.2.0.tar.bz2

----------

## linux_girl

worked for after rebooting (no error  ) . but 

```

mount|grep swap

```

dont shwo the swap dev

However free show the swap dev

```

$ free -m

             total       used       free     shared    buffers     cached

Mem:           756        748          8          0         32        195

-/+ buffers/cache:        520        235

Swap:          980        307        673

```

i guess every things is ok ?

----------

## Sachankara

 *linux_girl wrote:*   

> worked for after rebooting (no error  ) . but 
> 
> ```
> 
> mount|grep swap
> ...

 What does "cat /proc/swaps" show?

----------

## fuoco

Does encrypting swap devices can make things slower?

----------

## MaDsKiLLz

you should use 

```
tr -cd 0-9A-Za-z .... 
```

it'll use the capitals too

----------

## Sachankara

 *fuoco wrote:*   

> Does encrypting swap devices can make things slower?

 It'll add an overhead of around ~2-3% when writing to the swap devices. You won't notice it... I don't, and I'm using it on an Athlon XP 1800+ and an AMD K6-2 500MHz...

----------

## Sachankara

 *MaDsKiLLz wrote:*   

> you should use 
> 
> ```
> tr -cd 0-9A-Za-z .... 
> ```
> ...

 Yep, you're right. Missed that... Thanks...  :Smile: 

----------

## Sachankara

Released yet another version... Here it is: http://joshua.haninge.kth.se/~sachankara/swap-encryption-1.2.1.tar.bz2

Please comment on anything that could be improved, if you find anything...  :Smile: 

----------

## Coenobite

 *Quote:*   

> tr -cd 0-9A-Za-z < /dev/urandom 2>/dev/null | head -c $keysize

 

Wouldn't it be more elegant to use

 *Quote:*   

> tr -cd [:alnum:] < /dev/urandom 2>/dev/null | head -c $keysize

 

[:alnum:] prints uppercase chars, lowercase chars and digits... Pretty much the same as '0-9A-Za-z' but a bit better I think   :Wink: 

 *Quote:*   

> man tr

   :Smile: 

----------

## Sachankara

 *Coenobite wrote:*   

>  *Quote:*   tr -cd 0-9A-Za-z < /dev/urandom 2>/dev/null | head -c $keysize 
> 
> Wouldn't it be more elegant to use
> 
>  *Quote:*   tr -cd [:alnum:] < /dev/urandom 2>/dev/null | head -c $keysize 
> ...

 Dang, you're right...  :Wink:  Thanks...  :Smile: 

Fixed it: http://joshua.haninge.kth.se/~sachankara/swap-encryption-1.2.2.tar.bz2

----------

## sm4x

Nice idea, but dm-crypt and crypto-loop are equally insecure. 

http://www.uwsg.iu.edu/hypermail/linux/kernel/0402.2/1137.html

http://jdoedoe.tripod.com/#2.3

----------

## Sachankara

 *sm4x wrote:*   

> Nice idea, but dm-crypt and crypto-loop are equally insecure. 
> 
> http://www.uwsg.iu.edu/hypermail/linux/kernel/0402.2/1137.html
> 
> http://jdoedoe.tripod.com/#2.3

 Interresting... Perhaps I'll have to change the script to support other means of encryption...

Though I find it quite sad that those who say there is a problem with dm-crypt won't use their knowledge to fix the security issue themselves, or at least guide those who are responsible for dm-crypt... :/

----------

## Khaine

Well I loaded linux back onto my server box, and used this script and it seems to work fine  :Smile: 

One quick question tr -cd [:alnum:] < /dev/urandom 2>/dev/null | head -c $keysize prints uppercase chars, lowercase chars and digits. Wouldn't it be better to try and maximise the amount of characters used, to encrease the entropy?  I don't know how to implement it, but having a password like JB{:5f|Z&%!s seems more secure than one deviod of symbols, if not because it increases the number of characters that could possibly be used.

----------

## Cintra

 *Quote:*   

> Everytime you log onto your computer the password is sent to PAM (Pluggable Authentication Module), which in turn encodes the password using a special algorithm. The encoded password is then compared to other pre-encoded passwords in a hidden database, and if it's a match - grants you the access to your user. And here lies the problem: PAM stores the password in plain text in the memory. Although the password is quite (very) safe within the memory, it can turn into a huge security problem if the memory residing the password(s) is cached to the swap device. An unauthorized user can then scan the swap devices for available passwords and, in worst case, gain full access to your system. This is something we don't want (do we? Wink). 

 

Hei

Have just been reading through this thread and, not knowing much about PAM,  ask myself the question - why does PAM leave an unencrypted copy of the password in memory in the first place - shouldn't something rather be done with PAM to fix that specific problem?

mvh

----------

## Sachankara

 *Cintra wrote:*   

>  *Quote:*   Everytime you log onto your computer the password is sent to PAM (Pluggable Authentication Module), which in turn encodes the password using a special algorithm. The encoded password is then compared to other pre-encoded passwords in a hidden database, and if it's a match - grants you the access to your user. And here lies the problem: PAM stores the password in plain text in the memory. Although the password is quite (very) safe within the memory, it can turn into a huge security problem if the memory residing the password(s) is cached to the swap device. An unauthorized user can then scan the swap devices for available passwords and, in worst case, gain full access to your system. This is something we don't want (do we? Wink).  
> 
> Hei
> 
> Have just been reading through this thread and, not knowing much about PAM,  ask myself the question - why does PAM leave an unencrypted copy of the password in memory in the first place - shouldn't something rather be done with PAM to fix that specific problem?
> ...

 Well, as far as I understand; if you where to encrypt the passwords within the memory, you'd still be able to read the key used to encrypt the passwords, so it'd be useless. The only solution I see is to have a hardware device which generates the keys used for the password encryption, and that device musn't be able to be read. Instead, the passwords are sent through the device which encrypts them and then returns the encrypted password...

Although I could be wrong and the solution might even be as simple as overwriting the password within the memory once it has been verified...  :Razz: 

Protecting your computer memory against direct physical access (reading) will always be a problem... If one gets access to it, you're f***ed anyway (for example, all keys used to encrypt your devices and similar are then easily readable)...

----------

## Sachankara

 *Khaine wrote:*   

> Well I loaded linux back onto my server box, and used this script and it seems to work fine 
> 
> One quick question tr -cd [:alnum:] < /dev/urandom 2>/dev/null | head -c $keysize prints uppercase chars, lowercase chars and digits. Wouldn't it be better to try and maximise the amount of characters used, to encrease the entropy?  I don't know how to implement it, but having a password like JB{:5f|Z&%!s seems more secure than one deviod of symbols, if not because it increases the number of characters that could possibly be used.

 Yes, the more characters the better. But there's a problem: many of the characters have special meanings in *nix, like the pipe sign |, or quote ". Those characters can't be used for the keys, and since only A-Za-z0-9 are characters that one can trust, those are the ones that I use.

Of course I could implements something like "A-Za-z0-9#,.!{}()[]+-_:*~", but I don't know if it truely does any difference. As long as you don't have a true hardware randomization device, your passwords will be predictable, even if the chances are very small (minescule? <- spelling?).

----------

## Master One

I am just getting into that encryption matter, and I was wondering:

1. On most machines with large amount of RAM (> 512 MB), swap gets hardly used at all, so do you really think it makes sense to nevertheless encrypt it?

2. Did anybody check the latest ~x86 baselayout, which has filesystem-encryption included (using /etc/init.d/checkfs and /etc/conf.d/cryptfs)? (Looks like the new baselayout will render such scripts obsolet)

(I was already playing around with the new feature in baselayout, but for some reason I coun't not get cryptsetup to work at all, and due to some other issues I am now reinstalling the whole system on my new notebook, so it may take a while until I can play arround with it again)

----------

## Sachankara

 *Master One wrote:*   

> I am just getting into that encryption matter, and I was wondering:
> 
> 1. On most machines with large amount of RAM (> 512 MB), swap gets hardly used at all, so do you really think it makes sense to nevertheless encrypt it?
> 
> 2. Did anybody check the latest ~x86 baselayout, which has filesystem-encryption included (using /etc/init.d/checkfs and /etc/conf.d/cryptfs)? (Looks like the new baselayout will render such scripts obsolet)
> ...

 1. Yes, I think so... I know Linux hardly uses any swap unless it's absolutely necessary, but when it does, you can count on that it'll put your PAM password into the swap (since it's just normal data - which is exactly what kswapd will put on the swap)...

2. No, I'm not experimenting with any ~x86 stuff. But I'll implement as many encryption features as possible when they're available as non-testing...

----------

## Master One

Ok, just finished my "Stage 1 on a Stage 3 tarball" installation, and using the new ~x86 baselayout indeed renders most of the guides & scripts for filesystem-encryption obsolet.

I just activated the swap-encryption only by setting the proper options in /etc/conf.d/cryptfs and changed "/dev/hda2" to "/dev/mapper/crypt-swap" in the line for the swap-partition in /etc/fstab. Was up and running in notime, and works right out of the box like a charm.  :Smile: 

----------

## Cintra

 *Master One wrote:*   

> ..using the new ~x86 baselayout indeed renders most of the guides & scripts for filesystem-encryption obsolete. I just activated the swap-encryption only by setting the proper options in /etc/conf.d/cryptfs and changed "/dev/hda2" to "/dev/mapper/crypt-swap" in the line for the swap-partition in /etc/fstab. Was up and running in notime, and works right out of the box like a charm. 

 

Hei

can you clarify a little or point to respective docs

your /etc/conf.d/cryptfs for example..  :Wink: 

my swap is btw

```
/dev/hda5  none  swap  sw   0 0
```

thanks

----------

## Master One

As there are no docs available until now, I just wrote a quick and dirty howto, which can be found here.

Also it is working fine, I already had to disable swap encryption again, because an encrypted swap disables the possibility to use swsusp2.

There is a way, how to have both, but I need a little help on this matter, please see this thread.

----------

## Cintra

 *Master One wrote:*   

> As there are no docs available until now, I just wrote a quick and dirty howto, which can be found here.
> 
> 

 

Many thanks Master One

mhv

----------

## Vietor

 *Master One wrote:*   

> I am just getting into that encryption matter, and I was wondering:
> 
> 1. On most machines with large amount of RAM (> 512 MB), swap gets hardly used at all, so do you really think it makes sense to nevertheless encrypt it?
> 
> 

 

It only needs to be used once. Have a look for yourself.

```
strings < /dev/SWAP | less
```

then search for your root password. . . .

Also consider, what is the point of encrypting your swap? To protect your system. 

Consider the attacker who gains access to an account on your system for a few minutes. Then proceeds to run code that expands to fill all available RAM, pushing everything else out to swap.

When designing for secure operations you must hypothetically grant the attacker control of everything but that which you are currently trying to protect. Fight them as if they had everything else at their disposal. Otherwise you are only prepairing yourself for failure.

----------

## Master One

Ok, Vietor, you convinced me, but as long as I can not solve that issue, how to be able to use swsups2 with an encrypted swap, I'll have to let swap encryption disabled. If anyone can help concerning building a working initrd, please have a look at this topic.

----------

## linux_girl

what the diff btw AES multi key and single key and how to get it ?

i am also crypting my home partition using a homemade

```

 cat /etc/conf.d/local.start 

# /etc/conf.d/local.start:

# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/conf.d/local.start,v 1.4 2002/11/18 19:39:22 azarah Exp $

# This is a good place to load any misc.

# programs on startup ( 1>&2 )

                

cryptsetup -c aes create home /dev/hdb1

mount /dev/mapper/home /home

```

plus  i have added a 500MB files that i crypt using losetup+cryptsetupe with the help of bash script in my home where i store text files and critical info

----------

## Chaosite

 *Vietor wrote:*   

> It only needs to be used once. Have a look for yourself.
> 
> ```
> strings < /dev/SWAP | less
> ```
> ...

 

Alright, I'll bite.

Yes, you can find your root password in your swap.

But, where exactly is it? Its 1 string out of many. There is no way an attacker can find out exactly which one of the many strings represents your root password.

Also, linux_girl:

Yeah, that little tidbit will work. But why not use the Gentoo baselayout way of doing it (and not break your fstab?)

----------

## linux_girl

lets says u can rip from ur swap 500MB of valid strings (passwords are 6 char at least) hehehe that an esay way to have a worldlist from where to choose passworwd candidate and try them against ur hash with jhon the ripper and that wont take mutche of time to guesse ur passwords ! 500MB of valid strings from 1GB of swap while the keyspace size of all the passwords for the old crypt is 2^56 =72057594037927936 passwords

----------

## Sachankara

 *Chaosite wrote:*   

> But, where exactly is it? Its 1 string out of many. There is no way an attacker can find out exactly which one of the many strings represents your root password.

 No way? There's always a way...

----------

## Sachankara

 *Vietor wrote:*   

> When designing for secure operations you must hypothetically grant the attacker control of everything but that which you are currently trying to protect. Fight them as if they had everything else at their disposal. Otherwise you are only prepairing yourself for failure.

 Words of wisdom...  :Smile:  May I quote you on that?

----------

## alberich

Hi,

I've installed your script (great work!  :Smile: ) and it seems to work, but I am not sure, if I did everything right when installing it. My swap Partition is /dev/hda1

The /etc/fstab entry:

```

/dev/hda1               none            swap            pri=42                  0 0

```

So when I boot Gentoo, dmesg gives the following message:

```

root # dmesg | grep swap

Adding 1036152k swap on /dev/hda1.  Priority:42 extents:1

Adding 1036152k swap on /dev/mapper/swapdev-hda1.  Priority:0 extents:1

```

Executing the command strings on each partition gives for

```

root # strings < /dev/mapper/swapdev-hda1

```

some strange output as it should be. But 

```

root # strings < /dev/hda1

```

(that's the swap partition)  yields the same output as I had before encrypting the swap partition. It's just plaintext.

That shouldn't be, but I don't see any error...  :Question:   Maybe I'm just understanding the whole thing not thoroughly enough, so can anyone tell me, what's wrong here?

Cheers

----------

## Sachankara

 *alberich wrote:*   

> Hi,
> 
> I've installed your script (great work! ) and it seems to work, but I am not sure, if I did everything right when installing it. My swap Partition is /dev/hda1
> 
> The /etc/fstab entry:
> ...

 You mean that you do the following:

1. Encrypts the swap partition using the script.

2. View the data on the encrypted swap partition.

3. Restores the original swap partition.

4. View the data on the swap partition.

?

Then the answer is simple, the encrypted data is still present after you've restored the swap partition (but it is encrypted). If you are paranoid and doesn't even want the encrypted data to remain after an restore, then set the variable "PARANOIA_MODE" to 1 within the script.

----------

## alberich

Hello,

 *Sachankara wrote:*   

> 
> 
> You mean that you do the following:
> 
> 1. Encrypts the swap partition using the script.
> ...

 

um, no I mean directly after finishing the boot process. After I log in I can do a

```
strings < /dev/hda1
```

as well as

```
strings < /dev/mapper/swapdev-hda1
```

In the first case I see plaintext and in the second some random data. I do not restore anything (at least I think so  :Very Happy: ). It seems it is both, encrypted and not encrypted... But I also have an encrypted filesystem, therefore dm-crypt and whatever is needed should work.

I think it's a  case of "PEBCAK" but I don't see my mistake, yet.  :Very Happy: 

Cheers

----------

## Nimo

Could you not please make a version of the script that will work with initng to? (if it's not too much work)

----------

## user

a script like this?

 *Quote:*   

> 
> 
> root # grep swap /etc/fstab
> 
> /dev/hda2               none            swap            sw,loop=/dev/loop/2,encryption=AES128           0 0
> ...

 

----------

## Sachankara

 *Nimo wrote:*   

> Could you not please make a version of the script that will work with initng to? (if it's not too much work)

 I'm unable to do it right now, but perhaps in two weeks from now. I'm currently studying four courses at the same time, which is equal to 80 work hours a week.  :Razz: 

----------

## svf

 *Vietor wrote:*   

> 
> 
> Also consider, what is the point of encrypting your swap? To protect your system. 
> 
> Consider the attacker who gains access to an account on your system for a few minutes. Then proceeds to run code that expands to fill all available RAM, pushing everything else out to swap.
> ...

 

i think the point in swap-encryption is to keep critical data save between poweroffs and/or reboots.

you may have the strongest algo+pass for your data/home partitions, but this doesnt matter if your plaintext pass is somewhere on your unencryptet swap.

mh just my thoughts

ah btw.. sorry for bad english  :Wink: 

cya

----------

## bld

Can you explain me from the security perspective.. what's the diff between this entire script and these[1] 3 lines in your local.start file?

[1] 

/usr/sbin/cryptsetup -c serpent -d /dev/urandom create enc-swap /dev/hdb1

mkswap /dev/mapper/enc-swap

swapon /dev/mapper/enc-swap

except from the error checking of course.

----------

## opentaka

pretty cool howto, 

just don't forget to autoload it duh  :Smile: 

cheers,

----------

## friendsfan

i am using your excellent script now for 195 days without problems. But by now it was time to do a restart of it. But as it seems, during the time, some things got a little borked. Thats what i get when i try restart it:

```
/etc/init.d/swap-encryption restart

 * Restarting swap encryption ...

 * Restoring encrypted swap devices ...                                                               [ ok ]

 *   Restoring /dev/mapper/swapdev-hda2040(deleted) as /dev/hda2040(deleted)

swapoff: /dev/mapper/swapdev-hda2040(deleted): No such file or directory

dm_task_set_name: Device /dev/mapper/swapdev-hda2040(deleted) not found

Command failed

/dev/hda2040(deleted): No such file or directory

swapon: cannot stat /dev/hda2040(deleted): No such file or directory                                  [ !! ]

 * WARNING:  "swap-encryption" has already been started.                                              [ ok ]
```

A look at the swap itself gives me that:

```
cat /proc/swaps

Filename                                Type            Size    Used    Priority

/dev/mapper/swapdev-hda2\040(deleted)   partition       1052248 1052248 0                                   
```

I tried to zap the script and start it again. That works without an error when starting up. I still end up with the same error when i do a restart again though. Also i seem to have a "new" hda20 partion due to that now:

```
mount /dev/hda2

hda2   hda20                                                                                                
```

I cannot really access it of course, as its not really there i guess. I also tried to create a "normal" swap space on my swap partition (hda2), which only gave me a "device busy" due to the fact, that swap-encryption still has control about it.

So i'm kinda clueless on how to restart the swap script without actually restarting my box (which isn't really an option   :Laughing:  ) and would appreciate some good ideas...

friendsfan

----------

## Sachankara

 *friendsfan wrote:*   

> i am using your excellent script now for 195 days without problems. But by now it was time to do a restart of it. But as it seems, during the time, some things got a little borked. Thats what i get when i try restart it:
> 
> ```
> /etc/init.d/swap-encryption restart
> 
> ...

 A bit late, but you could always remove the device mapper map with "dmsetup remove /dev/mapper/swapdev-hda2".

The problem most likely started with the new cryptsetup-luks. I'll take a look at it...

----------

## Sachankara

Strange, but I couldn't find any errors. Perhaps the script has been corrupted on your side? :/

I've released a new version though, with a new function and a proper Makefile.  :Smile: 

http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r14.tgz

http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r14.tgz.md5

----------

## orange_juice

Hallo!

I am using your nice script for at least one year now. The last time I downloaded the file was called 

swap-encryption-latest.tar.bz2 and it was a couple of months ago. Works great. 

Now I have downloaded swap-encryption-r14 for a fresh gentoo box and I receive the following error:

```
   

* Enabling swap encryption...                                                                   [ok]

* Found swap device                                          

* Generating key                                                                                [ok]

* Encrypting device as

usage: swapoff [-hV]

       swapoff -a [-v]

       swapoff [-v] special...

Command failed: Block device required

/dev/mapper/swap: No such file or directory

swapon: cannot stat /dev/mapper/swap: No such file or directory                                   [!!]
```

After rebooting having deactivated the encryption, I receive:

```
* Activating (possibly) more swap...                                           [!!]

swapon: /dev/hda6: Invalid argument
```

Which disappears if I mkswap again...

What seems to be wrong?

kind_regards,

orange_juice

----------

## Sachankara

 *orange_juice wrote:*   

> Hallo!
> 
> I am using your nice script for at least one year now. The last time I downloaded the file was called 
> 
> swap-encryption-latest.tar.bz2 and it was a couple of months ago. Works great. 
> ...

 Oh, sorry, I missed that thing. But I've fixed it now:

http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r15.tgz

http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r15.tgz.md5

 :Smile: 

----------

## Sachankara

Ehum...  :Rolling Eyes: 

http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r16.tgz

http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r16.tgz.md5

----------

## orange_juice

Howdy my friend! 

Thank you very much! It works great.

Kind regards,

orange_juice

----------

## slick

I simply use this out of the box:

/etc/fstab

```
/dev/hda1 none swap sw,loop=/dev/loop7,encryption=AES128 0 0 
```

I think its enough for the swap.

----------

## orange_juice

Sounds interesting.

Although you need to enable Cryptoloop support in the kernel as /var/log/genkernel.log reads:

```
Cryptoloop Support (BLK_DEV_CRYPTOLOOP) [N/m/y/?] n
```

However, I have created a new post called Swap encryption with cryptoloop? [solved] because I think it would probably be out of subject to discuss this issue at this post.

Kind regards,

orange_juiceLast edited by orange_juice on Thu Jun 22, 2006 9:19 pm; edited 1 time in total

----------

## Sachankara

 *slick wrote:*   

> I simply use this out of the box:
> 
> /etc/fstab
> 
> ```
> ...

 That is pretty cool and almost makes my script obsolete.  :Smile:  Unfortunatly, that method is not safe, unless you know you're never going to remove/add/change partitions, or connect the HD to another cable. It'll simply overwrite anything that might exist on the partition, even if it contained a perfectly legit Ext3 FS. Don't get me wrong, I'm not against what you suggested, it's just that it only works on purely "static" systems, where one doesn't fiddle around too much with the partitions (one might forget to change fstab when partitioning).

But I'll add it to the main post of this thread. Most will probably prefer that simple solution.

----------

## orange_juice

I am affraid that cryptoloop is much inferior to dmcrypt as an encrypting method. This is known from 2004... 

Kind regards,

orange_juice

----------

## orange_juice

Hallo!

Do you think it is possible to setup swap-encryption to work with 

```
sys-fs/cryptsetup-luks
```

Actually, I am trying to install ivman for automounting my dvs and this application uses cryptsetup-luks which is being blocked by cryptsetup.

Just a question!

Kind regards,

orange_juice

----------

## Sachankara

 *orange_juice wrote:*   

> Hallo!
> 
> Do you think it is possible to setup swap-encryption to work with 
> 
> ```
> ...

 Yep.  :Smile:  Just uninstall cryptsetup and install cryptsetup-luks. It works just fine...

----------

## orange_juice

I just did it and while everything worked fine previously, now I receive the following error:

```
* Caching service dependencies ...                                                                                   [ ok ]

 * Enabling swap encryption ...                                                                                       [ ok ]

 *   Found swap device /dev/hda6

 *     Encrypting device as dev-hda6, priority -5

Command failed: Invalid argument

/dev/mapper/swapdev-hda6: No such file or directory

swapon: cannot stat /dev/mapper/swapdev-hda6: No such file or directory                                               [ ok ]

```

I have the latest version installed: swap-encryption-r16.

Although the encryption is initialized, I have no swap memory...

Kind regards,

orange_juice

----------

## Sachankara

Which version of cryptsetup-luks do you have? I'm currently using 1.0.1-r1, but I'll try out the latest one now...

Edit: Well it worked with 1.0.3-r2 for me. I'll continue working on the issue.  :Smile: 

----------

## Sachankara

Could you do me a favor and add the following to line 127, just before cryptsetup is run? 

```
    echo \"$CIPHER\" \"$DM_NAME$2\" \"$1\"
```

 And please reply to this post with the output you get...

It should look something like this: 

```
 * Enabling swap encryption ...                                           [ ok ]

 *   Found swap device /dev/hda2

 *     Encrypting device as dev-hda2, priority -8

"aes" "swapdev-hda2" "/dev/hda2"                                          [ ok ]
```

You could also make sure that aes is available by doing the following: 

```
cat /proc/crypto
```

 Which should output something like this: 

```
name         : aes

driver       : aes-generic

module       : aes

priority     : 100

type         : cipher

blocksize    : 16

min keysize  : 16

max keysize  : 32

```

----------

## Sachankara

I've released a new version:

http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r17.tgz

http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r17.tgz.md5

Unfortunatly, I don't think this release will solve the latest problems. I need more information to be able to solve it.

----------

## Sachankara

Hmm... Still haven't been able to replicate the problem. Please try the latest version and see if it works for you.

----------

## orange_juice

Hallo!

I apologise for the delay, I had to be out (of the computer...) for a while.

New release seems to be working great, thank you!!!

```
# /etc/init.d/swap-encryption start

 * Caching service dependencies ...                                                                                   [ ok ]

 * Enabling swap encryption ...                                                                                       [ ok ]

 *   Found swap device /dev/hda6

 *     Encrypting device as dev-hda6, priority -1                                                                     [ ok ]
```

A couple of info I should have answered earlier...

My cryptsetup-luks version is the latest:

```
sys-fs/cryptsetup-luks-1.0.3-r2
```

```

cat /proc/crypto

name         : aes

driver       : aes-i586

module       : kernel

priority     : 200

type         : cipher

blocksize    : 16

min keysize  : 16

max keysize  : 32

name         : md5

driver       : md5-generic

module       : kernel

priority     : 0

type         : digest

blocksize    : 64

digestsize   : 16

name         : twofish

driver       : twofish-generic

module       : kernel

priority     : 0

type         : cipher

blocksize    : 16

min keysize  : 16

max keysize  : 32

```

Just an observation:

At the beggining of the howto...

 *Sachankara wrote:*   

> 
> 
> $ tar xvfj swap-encryption-r17.tgz

 

Should be changed to 

```
 tar xvfz swap-encryption-r17.tgz
```

Thank you for your help and your valuable support.

Kind regards,

orange_juice

----------

## Sachankara

 *orange_juice wrote:*   

> Hallo!
> 
> I apologise for the delay, I had to be out (of the computer...) for a while.
> 
> New release seems to be working great, thank you!!!
> ...

 Well, thank you (and everyone else), for helping me making the script better.  :Smile:  And thanks for the heads up on the mistake in the guide/instructions. I hope the script will continue to work for a long time.

I'm going to add more functionality in the comming days. I think it could be some pretty useful things, but I don't want to say what it is, just in case I'm unsuccessful at implementing it...  :Very Happy: 

----------

## Sachankara

New version released:

http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r18.tgz

http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r18.tgz.md5

A very short description of the new functionality:

 *Quote:*   

> # This feature has  been made so that encrypted  swap parti-
> 
> # tions are created dynamically  when the script starts.  It
> 
> # requires that one uses LVM2 and that there already are one
> ...

 

I think there is more than enough functionality for now. I don't want it to become too complex. Instead I'll concentrate on fixing small problems and clean up the script a bit.  :Smile: 

----------

## Sachankara

Cosmetical changes:

http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r19.tgz

http://joshua.haninge.kth.se/~sachankara/GPLv2/swap-encryption-r19.tgz.md5

 :Wink: 

----------

## WildChild

A much easier way is to use /etc/conf.d/cryptfs and /etc/fstab. Here is my configuration:

In /etc/conf.d/cryptfs:

swap=crypt-swap

source='/dev/hda2'

In /etc/fstab:

/dev/mapper/crypt-swap  none            swap            sw              0 0

Gentoo then mount the swap very early in the boot process!

----------

## Sachankara

 *WildChild wrote:*   

> A much easier way is to use /etc/conf.d/cryptfs and /etc/fstab. Here is my configuration:
> 
> In /etc/conf.d/cryptfs:
> 
> swap=crypt-swap
> ...

 Well, that method is unfortunatly not safe. It'll not care if the device is a valid swap device or not. So pretend for a while that you keep your swap on another harddrive and then swap it with another without thinking about removing the line in /etc/conf.d/cryptfs - it'll destroy any content that might exist on the other drive. The swap-encryption script will not encrypt devices unless they're valid swap devices, or unless it told to do static encryptions. So you can use that method if you are always sure that you won't change the drive layout or similar, but if you're not, then better be safe than sorry, as they say...  :Wink: 

----------

## WildChild

Yes I understand what you say! Your encrypt all mounted swap partitions and on shutdown returns them on valid swap state! On the other side the /etc/conf.d/cryptfs leave the partition in an "unknown/unformatted" state. But since I'm on a laptop with a fixed hard drive it souldn't be a problem!

Thanks

----------

