cryptoswap

Overview

The cryptoswap package supports building an encrypted swap partition when a system boots. This may be necessary on systems that use encrypted filesystems because plaintext secrets may be written to disk when memory is swapped to disk.

Nasty Details

Cryptoswap.sh should be installed in /etc/init.d. During system boot, cryptoswap.sh should execute right before checkroot.sh. When shutting down, cryptoswap should execute after sysklogd.

This package also includes an initialization script for building loopback encrypted /tmp. This may be necessary if a system contains encrypted filesystems but / is not encrypted. A link from directories like /var/tmp to /tmp may be appropriate. There are a few other alternatives for systems such as these:

  1. Tmpfs is a Linux kernel feature that allows /tmp to exist in memory. This is a good solution for systems with a lot of memory and/or (encrypted) swap.
  2. If you have a system that uses encrypted home directories, per-user temporary directories inside $HOME could be used. This would ensure that user's data is protected but would require that all applications use $HOME/tmp instead of /tmp.

Finally, the project may be used to create an encrypted root filesystem. Doing so requires two special partitions. First, create a small partition to hold your kernel and initrd image, /dev/hdaX. Second create a large partition to contain the root of your filesystem, /dev/hdaY.

Next configure and install an initrd-based boot system:

  1. Ensure romfs is compiled in your kernel (not a module).
  2. Create a kernel-supported filesystem on /dev/hdaX and copy your kernel to /vmlinux.
  3. Download busybox and extract it as initrd/busybox.
  4. Update initrd/src/etc/modules.initrd to include any modules needed to boot.
  5. Build cryptoswap's initrd image (cd initrd && make initrd) and copy it to the filesystem on /dev/hdaX at /initrd.img.gz.
  6. Make sure you use literal = "root=/dev/ram0 init=/linuxrc rw" or liLO equivalent.

Finally, create a proper encrypted filesystem on /dev/hdaY:

  1. Randomize the partition: dd if=/dev/urandom of=/dev/hdaY.
  2. Set up a loopback device: openssl enc -d -aes-256-ecb -in initrd/src/etc/efsk | losetup -p0 -e aes /dev/loop0 /dev/hdaY.
  3. Create the root filesystem: mkfs.ext2 /dev/loop0.
  4. Mount your new root filesystem: mount /dev/loop0 <mountpoint>.
  5. Populate your new root filesystem.