Crypto-Swap questions

To: debian-security@lists.debian.org
Subject: Crypto-Swap questions
From: Johannes Graumann <graumann@caltech.edu>
Date: Tue, 20 Jan 2004 22:53:10 -0800
Message-id: <[🔎] 20040120225310.1cf16805.graumann@caltech.edu>

Hello,

Following loosely this document:
http://www.sdc.org/~leila/usb-dongle/readme.html
I have set up (or tried) to encrypt my swap partition (/dev/hda2).
Here is what I did:
* create /usr/local/sbin/crypto-swap (modified!)
#!/bin/sh
# Run this script somewhere in your startup scripts _after_
# random number generator has been initialized and /usr has
# been mounted. (md5sum, uuencode, tail and head programs usually
# reside in /usr/bin/)			
+# insert cypher module into kernel
+	modprobe aes
		
# encrypted swap partition
SWAPDEVICE=/dev/hda2

# loop device name
LOOPDEV=/dev/loop6

MD=`dd if=${SWAPDEVICE} bs=4k count=10 2>/dev/null | md5sum`
for X in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ; do	
   dd if=/dev/zero of=${SWAPDEVICE} bs=4k count=10 \ 
   conv=notrunc 2>/dev/null
   sync
done
UR=`dd if=/dev/urandom bs=18 count=1 2>/dev/null \			
    |uuencode -m - | head -n 2 | tail-n 1`
+echo ${MD}${UR} | losetup -p 0 -e aes -k 256 ${LOOPDEV}${SWAPDEVICE}	-echo ${MD}${UR} | losetup -p 0-e aes-256-cbc${LOOPDEV} ${SWAPDEVICE} 
MD=
UR=
dd if=/dev/zero of=${LOOPDEV} bs=4k count=10 conv=notrunc 2>/dev/null	sync
mkswap ${LOOPDEV}
sync
swapon ${LOOPDEV}
--> chmod 700 /usr/local/sbin/crypto-swap
* wipe -k /dev/hda2
* crypto-swap --> works!
* edit /etc/init.d/checkroot.sh:
	+ outcomment:
	        [ "$VERBOSE" != no ] && echo "Activating swap."
	        swapon -a 2> /dev/null
	+ REPLACE WITH:
		[ "$VERBOSE" != no ] && echo "Activating CRYPTO-swap."
		/usr/local/sbin/crypto-swap

Upon inspection of dmesg I see the following:
>Adding 1461904k swap on /dev/loop6. Priority:-1 extents:1
Looks good, no?
However, a little further I read:
>Unable to find swap-space signature

'cat /proc/swaps' gives me this output:
>Filename	Type		Size	Used	Priority
>/dev/loop6	partition      	1461904	0       -1

I would greatly appreciate if someone could give me any insight into
whether I now have encrypted swap or not.

Also: do people have benchmarks how much this procedure might slow
things down? Is the encryptionloop significantly slower than
diskwrite/read speed?

Thanks for any hints -

Joh

Reply to:

Follow-Ups:
- Re: Crypto-Swap questions
  - From: Peter Cordes <peter@llama.nslug.ns.ca>

Prev by Date: information security trends and patterns for 2003
Next by Date: Re: 2.6.1 CryptoAPI woes
Previous by thread: information security trends and patterns for 2003
Next by thread: Re: Crypto-Swap questions
Index(es):
- Date
- Thread