RE: encrypting swap

[Alexander Schreiber <Alexander.Schreiber@Informatik.TU-Chemnitz.DE>]

Hi !

On Thu, 17 Aug 2000, Strohm Thomas (FV/SLD) * wrote:

> > From: Alexander Schreiber
> >
> > The idea is not to protect you from someone gaining access as 
> > root to the
> > _running_ machine. Rather the scenario is as follows:
> > 
> > - you have a machine with sensitive data - a laptop for instance
> > - whenever the machine is running, it is sufficiently secure from 
> >   direct unauthorized access (because it is locked down real tight ->
> >   no unauthorized remote root access, you are sitting in front of it
> >   -> no unauthorized console acces),
> > - what happens if someone gains physical access to the 
> > machine after you
> >   turned it off - for instance it gets stolen?
> >   - attacker has physical access, so he can do _everything_ 
> > to the system
> >     to get at your data
> >   - all filesystems are encrypted, so no way to access them
> >   - _but_ the swap is normally wide open and very likely contains some
> >     sensitive data (paged out pages from processes handling 
> > said data),
> >     maybe even the password to access the filesysystems
> >  
> > This is where encrypted swap comes in: without the key, even 
> > the swapspace
> > contains only garbage. The key is generated new at each boot 
> > (with enough
> > random in it, maybe by doing an md5sum of ps -auxwww, and 
> > then throwing away
> > the key. This way the swap cannot be decrypted after reboot.

> Stay with your laptop example. 

> 1) You switch the laptop completely off (no suspend to disk!). Then 
> there may remain sensitive data on the swap partition.
> Solution: Just overwrite the swap partition with zeroes on shutdown:

Ok - but what if the is not shutdown clean (like your batteries running
out on you)?

> 2) You go to a suspend state. Then you also should erase the swap
> partition, but now before going to suspend. This may be more complicated
> than in the first case. 

This ranges from easy (no swap used) to difficult (swap used) to impossible
(used address space > RAM, swap _needed_ for operation of system) - at least
if you don't want to seriously disrupt operation (by forcibly disabling
swap, thereby creating an OOM-situation which will kill processes).

> 2.1) If you use a method like swsusp, i.e. going to suspend
> under control of Linux, then you can umount and clean the swap prior to
> switching to suspend. 

Same problem.

> 2.2) If you use the Laptop-BIOS to go to suspend, then you
> have a problem because (as far as I know) there are no hooks to register
> some routine doing the swap cleaning.

> I don't like very much the idea of an encrypted swap because of the large 
> performance penalty you're going to suffer.

You already get a performance penalty when using unencrypted swap. I hate
to break it to you - but high performance and high security tend to come
in different packages. You have to decide wether you want a secure system
or a fast system. And btw - Blowfish isn't _that_ slow.

Regards,
       Alex.
-- 
------------------------------------------------------------------------------ 
 EMail : als@thangorodrim.de              | WWW : http://www.thangorodrim.de/
 "I think there's a world market for about five computers."
         -- attr. Thomas J. Watson (Chairman of the Board, IBM), 1943


Kernel-audit:  discussion list for security and the linux kernel
Archive:       http://mail.nl.linux.org/kernel-audit/