Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Encrypt your swap devices, the safe and easy way
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3, 4, 5  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Tue Feb 01, 2005 1:03 pm    Post subject: Reply with quote

Coenobite wrote:
Fantastic script! I'm having a bit of trouble using it with the serpent cipher though...

I'm running Gentoo on a laptop with kernel 2.6.10 and version 1.1.14 of the swap-encryption script. I rebuilt the kernel adding serpent as a module, I changed the $CIPHER variable in the script to 'serpent' and added the serpent module to /etc/modules.autoload.d/kernel-2.6. Then I installed the script in /etc/init.d/ and added it to my default runlevel with rc-update. After rebooting I got this message during the boot sequence:

Code:
 * Enabling swap encryption...
 *   Found swap device /dev/hda3
 *     Generating key
head: cannot open '32' for reading: No such file or directory
 *     Encrypting device as dev-hda3


I then rebuilt the kernel with aes_i586 as a module, changed the script's $CIPHER variable back to the default 'aes' and added 'aes_i586' to /etc/modules.autoload.d/kernel-2.6. After rebooting it worked perfectly :) - though with aes and not serpent :P

I don't mind AES though, it's more than adequate for my purposes and I'm also planning on encrypting my root filesystem using dm-crypt with AES as the cipher. This would be safe right? Considering I'm already using dm-crypt to encrypt my swap partition.

Oh, and I rebuilt my kernel, statically adding CONFIG_CRYPTO_AES_586 and removing aes from /etc/modules.autoload.d/kernel-2.6

Thanks for a great script! :D
Fixed the problem now... Now it should work with most, if not all ciphers... :)

http://joshua.haninge.kth.se/~sachankara/swap-encryption-1.1.18.tar.bz2
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
Coenobite
n00b
n00b


Joined: 30 Jan 2005
Posts: 28
Location: behind you

PostPosted: Tue Feb 01, 2005 5:24 pm    Post subject: Reply with quote

Great! :D

I'm backing up my root filesystem now, since I'm planning to encrypt it with dm-crypt. If everything goes well (knock on wood :P) I'll reload the swap-encryption script with the serpent cipher again and see how it goes.

Thanks for the quick update, btw.
_________________
Get Firefox
Registered user #379997
Back to top
View user's profile Send private message
linux_girl
Apprentice
Apprentice


Joined: 12 Sep 2003
Posts: 287

PostPosted: Wed Feb 02, 2005 4:59 am    Post subject: Reply with quote

could u make an url like http://joshua.haninge.kth.se/~sachankara/swap-encryption-latest.tar.bz2

and add at the bottom of the script:
if internet is up depends on net

Code:
ping -c3 www.google.fr && wget http://joshua.haninge.kth.se/~sachankara/swap-encryption-latest.bz2  -O-|tar xjvf - -C /etc/init.d/

so every time u reboot u use the last version :) :lol:

and remember kid pro allways make an URL (sym link) that is version independent like the above :lol:
_________________
:D :D
Back to top
View user's profile Send private message
Khaine
n00b
n00b


Joined: 16 Nov 2004
Posts: 33

PostPosted: Wed Feb 02, 2005 7:12 am    Post subject: Reply with quote

This script sounds really cool, I will try it out next time I install gentoo

:)
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Wed Feb 02, 2005 12:15 pm    Post subject: Reply with quote

Coenobite wrote:
Great! :D

I'm backing up my root filesystem now, since I'm planning to encrypt it with dm-crypt. If everything goes well (knock on wood :P) I'll reload the swap-encryption script with the serpent cipher again and see how it goes.

Thanks for the quick update, btw.
No problem... I just want the script to work as it should. ;) Good luck by the way...
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Wed Feb 02, 2005 12:18 pm    Post subject: Reply with quote

linux_girl wrote:
could u make an url like http://joshua.haninge.kth.se/~sachankara/swap-encryption-latest.tar.bz2

and add at the bottom of the script:
if internet is up depends on net

Code:
ping -c3 www.google.fr && wget http://joshua.haninge.kth.se/~sachankara/swap-encryption-latest.bz2  -O-|tar xjvf - -C /etc/init.d/

so every time u reboot u use the last version :) :lol:

and remember kid pro allways make an URL (sym link) that is version independent like the above :lol:
I've added the symlink, but I don't understand what you mean about the other thing. Do you mean the script should be able to update itself each time it's stopped?
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
linux_girl
Apprentice
Apprentice


Joined: 12 Sep 2003
Posts: 287

PostPosted: Wed Feb 02, 2005 2:10 pm    Post subject: Reply with quote

yeah that is what the code means congrats u are a geek :lol: :lol: :lol: :lol: :lol: :lol:
_________________
:D :D
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Thu Feb 03, 2005 10:18 am    Post subject: Reply with quote

linux_girl wrote:
yeah that is what the code means congrats u are a geek :lol: :lol: :lol: :lol: :lol: :lol:
Ehh, okay?

I'll think about adding the auto-update code. It doesn't seem really useful. It's best to let the user update by himself, so any changes can be audited before "installation"... That's at least what I prefer to do. If someone has a good "counter argument", please let me know...
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Thu Feb 03, 2005 10:23 am    Post subject: Reply with quote

Khaine wrote:
This script sounds really cool, I will try it out next time I install gentoo

:)
If you do so, please let me know what you think of it, and if I should make any improvements... ;) Good luck... :)
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
linux_girl
Apprentice
Apprentice


Joined: 12 Sep 2003
Posts: 287

PostPosted: Thu Feb 03, 2005 12:35 pm    Post subject: Reply with quote

i get some error:
Code:

Found swap device /dev/ide/host0/bus0/target0/lun0/part13
Generating key
Encrypting device as dev-ide-host0-bus0-target0-lun0-part13
Command faild :invalid argument
/dev/mapper/swapdev-ide-host0-bus0-target0-lun0-part13: No sutch file or directorie
swapon canot stat /dev/mapper/swapdev-ide-host0-bus0-target0-lun0-part13:

how can u get the startup log ??

after startup i:
/etc/init.d/swap-encryption start
i get no errors :lol:

my swap is /dev/hda13
Code:

mount|grep swap

show no swap
_________________
:D :D
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Thu Feb 03, 2005 2:25 pm    Post subject: Reply with quote

linux_girl wrote:
i get some error:
Code:

Found swap device /dev/ide/host0/bus0/target0/lun0/part13
Generating key
Encrypting device as dev-ide-host0-bus0-target0-lun0-part13
Command faild :invalid argument
/dev/mapper/swapdev-ide-host0-bus0-target0-lun0-part13: No sutch file or directorie
swapon canot stat /dev/mapper/swapdev-ide-host0-bus0-target0-lun0-part13:

how can u get the startup log ??

after startup i:
/etc/init.d/swap-encryption start
i get no errors :lol:

my swap is /dev/hda13
Code:

mount|grep swap

show no swap
1. Are you sure that you've installed all necessary user-space applications?

2. There's a FAQ in the script answering just that "problem". You need to "re-enable" the swap device if it wasn't properly restored by the script. Just run "mkswap /dev/hda13 && swapon /dev/hda13"...
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
linux_girl
Apprentice
Apprentice


Joined: 12 Sep 2003
Posts: 287

PostPosted: Thu Feb 03, 2005 4:26 pm    Post subject: Reply with quote

the dev-mapper was missing

i tried :
Code:

$swapoff /dev/hda13
$swapoff /dev/hda13
swapoff: /dev/hda13: Invalid argument
 $ mkswap /dev/hda13
Setting up swapspace version 1, size = 1028120 kB
 $ mkswap /dev/hda13
Setting up swapspace version 1, size = 1028120 kB
$swapon /dev/hda13
$swapon /dev/hda13
swapon: /dev/hda13: Device or resource busy

$mount|grep sw|wc
    0       0       0

and now rebooting
_________________
:D :D
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Thu Feb 03, 2005 6:48 pm    Post subject: Reply with quote

linux_girl wrote:
the dev-mapper was missing

i tried :
Code:

$swapoff /dev/hda13
$swapoff /dev/hda13
swapoff: /dev/hda13: Invalid argument
 $ mkswap /dev/hda13
Setting up swapspace version 1, size = 1028120 kB
 $ mkswap /dev/hda13
Setting up swapspace version 1, size = 1028120 kB
$swapon /dev/hda13
$swapon /dev/hda13
swapon: /dev/hda13: Device or resource busy

$mount|grep sw|wc
    0       0       0

and now rebooting
I think you need to remove the "Device Mapper" device that the script created. "dmsetup remove </dev/device-mapper/name>"...
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Thu Feb 03, 2005 6:55 pm    Post subject: Reply with quote

New version available. :) Added more error checking...

http://joshua.haninge.kth.se/~sachankara/swap-encryption-1.2.0.tar.bz2
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
linux_girl
Apprentice
Apprentice


Joined: 12 Sep 2003
Posts: 287

PostPosted: Fri Feb 04, 2005 12:23 pm    Post subject: Reply with quote

worked for after rebooting (no error ) . but
Code:

mount|grep swap

dont shwo the swap dev

However free show the swap dev
Code:

$ free -m
             total       used       free     shared    buffers     cached
Mem:           756        748          8          0         32        195
-/+ buffers/cache:        520        235
Swap:          980        307        673

i guess every things is ok ?
_________________
:D :D
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Fri Feb 04, 2005 3:01 pm    Post subject: Reply with quote

linux_girl wrote:
worked for after rebooting (no error ) . but
Code:

mount|grep swap

dont shwo the swap dev

However free show the swap dev
Code:

$ free -m
             total       used       free     shared    buffers     cached
Mem:           756        748          8          0         32        195
-/+ buffers/cache:        520        235
Swap:          980        307        673

i guess every things is ok ?
What does "cat /proc/swaps" show?
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
fuoco
Guru
Guru


Joined: 23 May 2004
Posts: 386
Location: Israel

PostPosted: Fri Feb 04, 2005 4:27 pm    Post subject: Reply with quote

Does encrypting swap devices can make things slower?
Back to top
View user's profile Send private message
MaDsKiLLz
n00b
n00b


Joined: 14 Jan 2005
Posts: 3

PostPosted: Thu Feb 10, 2005 3:48 pm    Post subject: Reply with quote

you should use
Code:
tr -cd 0-9A-Za-z ....


it'll use the capitals too
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Thu Feb 10, 2005 5:59 pm    Post subject: Reply with quote

fuoco wrote:
Does encrypting swap devices can make things slower?
It'll add an overhead of around ~2-3% when writing to the swap devices. You won't notice it... I don't, and I'm using it on an Athlon XP 1800+ and an AMD K6-2 500MHz...
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Thu Feb 10, 2005 6:02 pm    Post subject: Reply with quote

MaDsKiLLz wrote:
you should use
Code:
tr -cd 0-9A-Za-z ....


it'll use the capitals too
Yep, you're right. Missed that... Thanks... :)
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Thu Feb 10, 2005 6:15 pm    Post subject: Reply with quote

Released yet another version... Here it is: http://joshua.haninge.kth.se/~sachankara/swap-encryption-1.2.1.tar.bz2

Please comment on anything that could be improved, if you find anything... :)
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
Coenobite
n00b
n00b


Joined: 30 Jan 2005
Posts: 28
Location: behind you

PostPosted: Sat Feb 12, 2005 10:01 am    Post subject: Reply with quote

Quote:
tr -cd 0-9A-Za-z < /dev/urandom 2>/dev/null | head -c $keysize


Wouldn't it be more elegant to use

Quote:
tr -cd [:alnum:] < /dev/urandom 2>/dev/null | head -c $keysize


[:alnum:] prints uppercase chars, lowercase chars and digits... Pretty much the same as '0-9A-Za-z' but a bit better I think :wink:

Quote:
man tr
:)
_________________
Get Firefox
Registered user #379997
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Sat Feb 12, 2005 10:07 am    Post subject: Reply with quote

Coenobite wrote:
Quote:
tr -cd 0-9A-Za-z < /dev/urandom 2>/dev/null | head -c $keysize


Wouldn't it be more elegant to use

Quote:
tr -cd [:alnum:] < /dev/urandom 2>/dev/null | head -c $keysize


[:alnum:] prints uppercase chars, lowercase chars and digits... Pretty much the same as '0-9A-Za-z' but a bit better I think :wink:

Quote:
man tr
:)
Dang, you're right... ;) Thanks... :)

Fixed it: http://joshua.haninge.kth.se/~sachankara/swap-encryption-1.2.2.tar.bz2
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
sm4x
n00b
n00b


Joined: 14 Dec 2003
Posts: 38
Location: Hamburg

PostPosted: Sun Feb 13, 2005 1:59 pm    Post subject: Reply with quote

Nice idea, but dm-crypt and crypto-loop are equally insecure.

http://www.uwsg.iu.edu/hypermail/linux/kernel/0402.2/1137.html
http://jdoedoe.tripod.com/#2.3
Back to top
View user's profile Send private message
Sachankara
l33t
l33t


Joined: 11 Jun 2004
Posts: 696
Location: Stockholm, Sweden

PostPosted: Sun Feb 13, 2005 9:40 pm    Post subject: Reply with quote

sm4x wrote:
Nice idea, but dm-crypt and crypto-loop are equally insecure.

http://www.uwsg.iu.edu/hypermail/linux/kernel/0402.2/1137.html
http://jdoedoe.tripod.com/#2.3
Interresting... Perhaps I'll have to change the script to support other means of encryption...

Though I find it quite sad that those who say there is a problem with dm-crypt won't use their knowledge to fix the security issue themselves, or at least guide those who are responsible for dm-crypt... :/
_________________
Gentoo Hardened Linux 2.6.21 + svorak (Swedish dvorak)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2, 3, 4, 5  Next
Page 2 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum