3

When I installed Debian Buster (with a stock 4.19 kernel) on my device, I opted for guided partitioning with full disk encryption.

So the current setup is LVM on LUKS, and /boot is unencrypted:

user@HOST:~$ lsblk -f
NAME               FSTYPE      LABEL UUID                                FSAVAIL FSUSE% MOUNTPOINT
sda
├sda1              ext2              a81YDwjp-q50N-nbZH-JLwr-Djhhe0aDxI6 94,4M      55% /boot
├sda2
└sda5              crypto_LUKS       E5ZYjKug-zrNW-yW4Q-jwFD-MdgSY08zqKo
 └sda5_crypt       LVM2_member       aJTjWXcR-Nxth-LcnV-5tzp-iBzbCU0zy8d
  ├HOST--vg-root   ext4              PHVJaGjc-46vv-u5co-fXxd-NCZJUkzK21Q 129,1G      5% /
  └HOST--vg-swap_1 swap              1XZehc8C-2yKA-Y8Qr-eCc1-EI3ezAgVNBo                [SWAP]

Now it would be nice to evolve this setup and encrypt the swap volume with a temporary key. But why this? After all swap is encrypted already, as it resides on an encrypted hard drive. BTW, I do not use Hibernation.

What I would like is drawing as much benefit as possible from additional layers of encryption on my system. For example, I encrypt some data locally before backing it up in a remote location. This encryption could also serve as a second line of defense if full hard disk encryption was defeated... but only if swap is not readable in this scenario.

Starting from the default Debian configuration (i.e. without having to loop through re-installation), is there a way to encrypt swap with temporary keys?

Improve this question
2

2 Answers 2

Reset to default
1

Since you have a modern (4.19) kernel and do not use Hibernation, I'd suggest doing without the swap partition, and move swap to your root partition. As time permits, you can reallocate the space used by the swap partition to the root.

How much space? https://itsfoss.com/swap-size/ has a table which calculates it, based on some guidelines and the size of that system's RAM:

RAM     Swap Size 
 256MB   256MB   
 512MB   512MB   
 1GB     1GB     
 2GB     1GB     
 3GB     2GB     
 4GB     2GB     
 6GB     2GB      
 8GB     3GB     
 12GB    3GB      
 16GB    4GB     
 24GB    5GB     
 32GB    6GB     
 64GB    8GB     
 128GB   11GB

Guidelines?

If your system has RAM less than 1 GB, you must use swap as most applications would exhaust the RAM soon.

If your system uses resource heavy applications like video editors, it would be a good idea to use some swap space as your RAM may be exhausted here.

If you use hibernation, then you must add swap because the content of the RAM will be written to the swap partition. This also means that the swap size should be at least the size of RAM.

Avoid strange events like a program going nuts and eating RAM.

https://linuxize.com/post/how-to-add-swap-space-on-debian-9/ has a step-by-step process for Debian to make a swap file.

Improve this answer
1
  • Thanks, I'll try it this way and will attempt to mix in another tutorial to have encryption with keys changing on every boot
    – fghtsu
    Commented Nov 2, 2019 at 10:23
1

A simple write-up of what I ended up doing. As mentioned before, the distribution is Debian Buster, and hibernation is disabled.

  • Optional: Disable swap (sudo swapoff -a) and overwrite the swap volume with zeroes or with random data. This is actually recommended, but was not necessary in my case.

  • Create the new swap file

    sudo fallocate -l 2G /cryptswap

  • Only root user should be able to read the swap file

    sudo chmod 600 /cryptswap

  • Add the following line to /etc/crypttab

    cryptswap /cryptswap /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,swap,noearly

    Note that not all distributions support the noearly option, but Debian certainly does, and Ubuntu seems to support it as well.

  • Disable the swap mount in /etc/fstab (add a # in front of the line) and paste the second line from below:

    #/dev/mapper/HOST--vg-swap_1 none swap sw 0 0
/dev/mapper/cryptswap none swap sw 0 0

  • [ADDED] Disable resuming from hibernation. Update /etc/initramfs-tools/conf.d/resume like below and run sudo update-initramfs -u -k all afterwards.

    RESUME=none

  • Reboot

  • Confirm everything works as it should

    Note that the old swap volume still exists, but is not mounted any more.

    user@HOST:~$ lsblk -f
NAME               FSTYPE      LABEL UUID                                FSAVAIL FSUSE% MOUNTPOINT
loop0                                                                                      
└cryptswap         swap              32efd8e4-a775-41b8-b717-39dfbff439f                [SWAP]
sda
├sda1              ext2              a81YDwjp-q50N-nbZH-JLwr-Djhhe0aDxI6 94,4M      55% /boot
├sda2
└sda5              crypto_LUKS       E5ZYjKug-zrNW-yW4Q-jwFD-MdgSY08zqKo
 └sda5_crypt       LVM2_member       aJTjWXcR-Nxth-LcnV-5tzp-iBzbCU0zy8d
  ├HOST--vg-root   ext4              PHVJaGjc-46vv-u5co-fXxd-NCZJUkzK21Q 129,1G      5% /
  └HOST--vg-swap_1 swap              1XZehc8C-2yKA-Y8Qr-eCc1-EI3ezAgVNBo

    user@HOST:~$ sudo cryptsetup status cryptswap
/dev/mapper/cryptswap is active and is in use.
  type:    PLAIN
  cipher:  aes-cbc-essiv:sha256
  keysize: 256 bits
  key location: dm-crypt
  device:  /dev/loop0
  loop:    /cryptswap
  sector size:  512
  offset:  0 sectors
  size:    4194304 sectors
  mode:    read/write

  • Cleanup

    Remove the old swap volume. Subsequently you may want to reassign the free space, but I won't cover this here.

    sudo lvremove HOST-vg/swap_1

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .