Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 10th August 2011, 10:40 AM
tntrush Offline
Registered User
 
Join Date: Aug 2011
Posts: 30
linuxfirefox
[SOLVED] Encrypting the swap partition while /dev/path constantly changes ...

Hallo,

I would like to encrypt my swap partition ...

During installation, I tried to select the "encrypt partition" choice, but it needed a passphrase.

After installation, I tried to encrypt my partition ... I followed this article:
http://tredosoft.com/encrypt_home_directory_fedora_9

I just could not ...

The problem is that my swap partition always changes its path ...
When I first booted the system, it was /dev/sda10, next it became /dev/sdc10, now it is /dev/sdb10. This is probably the reason why in fstab all entries are according to UUID.

However, the swap partition is not fond of UUIDs !

I tried to mkswap /dev/<current swap partition> -L Swap, I received a UUID, puted it in /etc/crypttab ... it worked for the first time ... but the second time... did not.

Is there a way to do it? I would appreciate your help!

Kind regards,
tntrush

Last edited by tntrush; 11th August 2011 at 02:21 PM.
Reply With Quote
  #2  
Old 10th August 2011, 10:48 AM
flyingfsck Offline
Registered User
 
Join Date: Aug 2010
Location: Al Ain, UAE
Posts: 1,822
linuxfirefox
Re: Encrypting the swap partition while /dev/path constantly changes ...

Howdy,

You should read the swapon man page. For some odd reason, that is the one with all the swap information.

Cheers,

F
Reply With Quote
  #3  
Old 10th August 2011, 10:55 AM
sea Offline
"Shells" (of a sub world)
 
Join Date: May 2011
Location: Confoederatio Helvetica (Swissh)
Age: 34
Posts: 3,278
linuxfedorafirefox
Re: Encrypting the swap partition while /dev/path constantly changes ...

Just as a hint, if it nees a passphrase, its already encrypted.

If you've chosen to encrypt the compelte harddisk, the swap is encrypted as well, as the containing volume is.
__________________
Laptop: Toshiba satellite p50-a-11 CPU: Intel i7 8*2400 MHz GPU: GeForce GT 745M RAM: 8192 MB Distro: Fedora (Rawhide) DE: Awesome
Text User Interface (TUI) // Windows 8+ & Fedora 20+ Dualboot
Reply With Quote
  #4  
Old 10th August 2011, 02:05 PM
tntrush Offline
Registered User
 
Join Date: Aug 2011
Posts: 30
linuxfirefox
Re: Encrypting the swap partition while /dev/path constantly changes ...

Thanx for the prompt replies.

The issue is that I want to encrypt only the swap and in the /etc/crypttab file I cannot enter the /dev/path because it constantly changes and I cannot also enter the UUID number because the encrypted swap partition does not have one ...

Code:
cat /etc/crypttab
swap   <how can I specify the drive?>      /dev/urandom    swap
Kind regards,
tntrush
Reply With Quote
  #5  
Old 10th August 2011, 04:24 PM
flyingfsck Offline
Registered User
 
Join Date: Aug 2010
Location: Al Ain, UAE
Posts: 1,822
linuxfirefox
Re: Encrypting the swap partition while /dev/path constantly changes ...

You can also use the label in /proc/partitions ( cat /proc/partitions).

Read the swapon man page.

E.g. /dev/dm-1

Last edited by flyingfsck; 10th August 2011 at 04:26 PM.
Reply With Quote
  #6  
Old 10th August 2011, 07:49 PM
tntrush Offline
Registered User
 
Join Date: Aug 2011
Posts: 30
linuxfirefox
Re: Encrypting the swap partition while /dev/path constantly changes ...

Code:
cat /proc/partitions
major minor  #blocks  name

   8        0  244198584 sda
   8        1     120456 sda1
   8        2   67954950 sda2
   8        4          1 sda4
   8        5    9775521 sda5
   8        6   17583111 sda6
   8        7   83080116 sda7
   8        8    5229126 sda8
   8        9    5120000 sda9
   8       10    4096000 sda10
   8       11   20480000 sda11
   8       12   30751744 sda12
   8       32  976762584 sdc
   8       33  471869181 sdc1
   8       34  504890820 sdc2
   8       48  244198584 sdd
   8       49  209720511 sdd1
   8       50   34475490 sdd2
   8       64  488386584 sde
   8       65  209720511 sde1
   8       66  208684350 sde2
   8       67   69979140 sde3
   8       80   58615704 sdf
   8       81   58612736 sdf1
This does not mention anything different than my existing partitions. It happens now and the swap is sda10. It will change after I reboot, for example it was sdb10 last time I booted.

How did you encrypt your swap partition?

Kind regards,
tntrush
Reply With Quote
  #7  
Old 11th August 2011, 02:19 PM
tntrush Offline
Registered User
 
Join Date: Aug 2011
Posts: 30
linuxfirefox
Re: Encrypting the swap partition while /dev/path constantly changes ...

Quote:
Originally Posted by tntrush View Post

Code:
cat /etc/crypttab
swap   <how can I specify the drive?>      /dev/urandom    swap
Kind regards,
tntrush
Code:
cat /etc/crypttab
swap   /dev/drive/by-id/<drive-id>   /dev/urandom    swap
Kind regards,
tntrush
Reply With Quote
  #8  
Old 12th August 2011, 05:41 AM
japafi Offline
Registered User
 
Join Date: Mar 2010
Posts: 87
linuxfirefox
Re: Encrypting the swap partition while /dev/path constantly changes ...

[QUOTE=tntrush;1502703]Thanx for the prompt replies.

The issue is that I want to encrypt only the swap and in the /etc/crypttab file I cannot enter the /dev/path because it constantly changes and I cannot also enter the UUID number because the encrypted swap partition does not have one ...

/QUOTE]

Does not have one? Yes it does:
Code:
[bash]:~$>blkid 
/dev/sda1: LABEL="F14-boot" UUID="d76a7974-e5c3-4a31-b66a-731469a1f033" TYPE="ext4" 
/dev/sda2: UUID="c92747eb-6ba1-40af-8ecc-1a7f0e0a8dc6" TYPE="crypto_LUKS" 
/dev/sda3: UUID="f324fd4b-7ba5-4800-8492-6bafab1a8ba6" TYPE="crypto_LUKS" 
/dev/sda5: UUID="ffebfc23-0384-4cdc-95a0-962259f93ee9" TYPE="crypto_LUKS" 
/dev/sda6: UUID="bae21dda-f60f-4b39-8f98-150cbbbd29d8" TYPE="crypto_LUKS" 
/dev/mapper/luks-c92747eb-6ba1-40af-8ecc-1a7f0e0a8dc6: LABEL="F14-Root" UUID="f2c62329-4b7a-49bd-a9fa-4cf2313c2b9b" TYPE="ext4" 
/dev/mapper/encswap: UUID="ccd7555a-98e7-462c-9356-41a59480b35e" TYPE="swap" 
/dev/mapper/sda6: LABEL="home" UUID="b4c7cd52-f330-4a1c-9066-7acb3d490e33" TYPE="ext4"
First bold one is the luks container that has the swap partition (second bold one, encswap)

On /boot/grub/menu.lst I have following options in kernel line:
Code:
rd_LUKS_UUID=f324fd4b-7ba5-4800-8492-6bafab1a8ba6 resume=UUID=ccd7555a-98e7-462c-9356-41a59480b35e
First one gets kernel to open the partition which contains the encrypted swap partition. Resume is the UUID of the swap partition, which will now be visible as ..ba6 has been opened.
Reply With Quote
  #9  
Old 12th August 2011, 09:27 AM
tntrush Offline
Registered User
 
Join Date: Aug 2011
Posts: 30
linuxfirefox
Re: Encrypting the swap partition while /dev/path constantly changes ...

Quote:
Originally Posted by japafi View Post
On /boot/grub/menu.lst I have following options in kernel line:
Code:
rd_LUKS_UUID=f324fd4b-7ba5-4800-8492-6bafab1a8ba6 resume=UUID=ccd7555a-98e7-462c-9356-41a59480b35e
First one gets kernel to open the partition which contains the encrypted swap partition. Resume is the UUID of the swap partition, which will now be visible as ..ba6 has been opened.
OK ... this should be the trick then ... because in my case (although it works now great) I have:

Code:
blkid

/dev/sdb1: UUID="5e75d18f-8628-4c4f-bbb2-0b1ba154535e" TYPE="ext4" 
/dev/sdb2: LABEL="backup" UUID="67d8fc30-8c71-49f4-a616-19118d1c9ccd" SEC_TYPE="ext2" TYPE="ext3" 
/dev/sdb5: UUID="f76affdf-fa61-4d38-aa36-ad934253815f" TYPE="ext4" 
/dev/sdb6: UUID="431ff39e-dd09-40c0-8102-3771e56bd9a1" TYPE="ext4" 
/dev/sdb7: LABEL="door" UUID="7fbf4f37-eec3-438b-a2a4-8d3a36a3aa22" TYPE="ext3" 
/dev/sdb8: UUID="d3c53b6b-da22-468f-916d-79d151527e77" TYPE="ext4" 
/dev/sdb9: LABEL="_Fedora-15-x86_6" UUID="6fa2c71d-832d-4477-b02e-6e41825d4d6d" TYPE="ext4" 
/dev/sdb11: UUID="e0cb12ff-b074-4312-bbd0-0f173d078f4b" TYPE="ext4" 
/dev/sdb12: UUID="392973f6-0f22-4526-ade7-1365fd454cb1" TYPE="ext4" 
/dev/mapper/swap: UUID="e381d1fd-b283-4529-9dc4-f16cf1837360" TYPE="swap"
... sdb10 is missing ... and when opened with gparted it is identified as "unknown partition".

Kind regards,
tntrush
Reply With Quote
  #10  
Old 12th August 2011, 10:49 AM
japafi Offline
Registered User
 
Join Date: Mar 2010
Posts: 87
linuxfirefox
Re: Encrypting the swap partition while /dev/path constantly changes ...

Code:
cryptsetup luksUUID /dev/sdb10
to get the partition uuid.
Add that uuid to kernel parameter line: rd_LUKS_UUID=(output from luksUUID)
Perhaps then the container filesystem (ie. swap) will be always visible and you could mount it using UUID visible in blkid
Reply With Quote
  #11  
Old 12th August 2011, 09:26 PM
tntrush Offline
Registered User
 
Join Date: Aug 2011
Posts: 30
linuxfirefox
Re: Encrypting the swap partition while /dev/path constantly changes ...

Oh, thanx!

However, I get the following message:

Code:
cryptsetup luksUUID /dev/sdb10
Device /dev/sdb10 is not a valid LUKS device.
The swap exists, however, and it is encrypted:

Code:
swapon -s
Filename                                Type            Size    Used    Priority
/dev/mapper/swap                        partition       4095996 0       0
Kind regards,
tntrush
Reply With Quote
  #12  
Old 13th August 2011, 08:37 AM
hermandez Offline
Registered User
 
Join Date: Aug 2011
Posts: 2
windows_xp_2003firefox
Re: Encrypting the swap partition while /dev/path constantly changes ...

The swap partition can hold a lot of unencrypted confidential information and the fact that it persists after shutting down the computer can be a problem.

Encrypting a swap partition however is slightly tricky if one wants to also support suspend-to-disk (also called hibernation). Here's a procedure that worked for me on both Debian Lenny and Ubuntu 7.10 (Gutsy Gibbon):

0- Install the cryptsetup package:

apt-get install cryptsetup

1- Setup the encrypted partition as root:

swapoff -a
cryptsetup -h sha256 -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/hda2
cryptsetup luksOpen /dev/hda2 cswap
mkswap /dev/mapper/cswap

2- Add this line to /etc/crypttab:

cswap /dev/hda2 none swap,luks,timeout=30

3- Set the swap partition to be this in /etc/fstab:

/dev/mapper/cswap none swap sw 0 0

4- Configure uswsusp to use /dev/mapper/cswap and write unencrypted data

dpkg-reconfigure -plow uswsusp

You will of course want to replace /dev/hda2 with the partition that currently holds your unencrypted swap.
__________________
MBA consultants in India
Reply With Quote
  #13  
Old 13th August 2011, 10:05 AM
tntrush Offline
Registered User
 
Join Date: Aug 2011
Posts: 30
linuxfirefox
Re: Encrypting the swap partition while /dev/path constantly changes ...

Quote:
Originally Posted by hermandez View Post
Here's a procedure that worked for me on both Debian Lenny and Ubuntu 7.10 (Gutsy Gibbon):

0- Install the cryptsetup package:

apt-get install cryptsetup

1- Setup the encrypted partition as root:

swapoff -a
cryptsetup -h sha256 -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/hda2
cryptsetup luksOpen /dev/hda2 cswap
mkswap /dev/mapper/cswap

2- Add this line to /etc/crypttab:

cswap /dev/hda2 none swap,luks,timeout=30

3- Set the swap partition to be this in /etc/fstab:

/dev/mapper/cswap none swap sw 0 0

4- Configure uswsusp to use /dev/mapper/cswap and write unencrypted data

dpkg-reconfigure -plow uswsusp

You will of course want to replace /dev/hda2 with the partition that currently holds your unencrypted swap.
This is great! I performed those steps and I have to say that it works great. Now both cryptsetup luksUUID and blkid commands work as expected.

I have made a few changes though, because it kept asking a password during startup ... According to this howto I added a key to load automatically and unlock the partition.
Code:
dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
chmod 0400 /root/keyfile
cryptsetup luksAddKey /dev/sdX /root/keyfile
And in /etc/crypttab
 cswap /dev/disk/by-id/<disk id> /root/keyfile swap,luks
I have not performed the following command
Code:
dpkg-reconfigure -plow uswsusp
"dpkg" means Debian Package which is irrelevant to rpm. I am not using suspension so it is not of great importance to me, but any ideas would be welcome in order to make it work in fedora too!

Thanx indeed!

Kind regards,
tntrush

Last edited by tntrush; 13th August 2011 at 10:07 AM.
Reply With Quote
  #14  
Old 13th August 2011, 04:47 PM
japafi Offline
Registered User
 
Join Date: Mar 2010
Posts: 87
linuxfirefox
Re: Encrypting the swap partition while /dev/path constantly changes ...

If you have the key on the computer, there is no benefit of encrypting the swap partition. Who even gets hold of the computer can decrypt the swap as the decrypt key is available.
Reply With Quote
  #15  
Old 13th August 2011, 07:17 PM
tntrush Offline
Registered User
 
Join Date: Aug 2011
Posts: 30
linuxfirefox
Re: Encrypting the swap partition while /dev/path constantly changes ...

Indeed, however if they have root privileges ... who cares about the swap ...?

Kind regards,
tntrush
Reply With Quote
Reply

Tags
encrypt swap, uuid

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Swap file and complete removal of swap partition RVF16 Using Fedora 9 20th November 2008 10:32 PM
Upgrading to F9 and Encrypting home partition blackarib Using Fedora 2 15th May 2008 07:54 AM
Need help encrypting root partition in Fedora 6 jlow Security and Privacy 1 2nd December 2006 11:24 PM
Encrypting partition with cryptsetup-luks ruazgo Security and Privacy 3 2nd November 2005 01:20 AM


Current GMT-time: 00:33 (Tuesday, 29-07-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat