InterWeb Task Force

What is swap?
Even if you encrypt data on your partitions, something that is often overlooked is your swap partition. Swap is where linux ‘swaps’ programs (and their stored data) from physical system memory onto the hard disk when they are not used. When those programs become used again, the system ‘swaps’ them back into memory. This approach can allow you to run more programs than you have RAM for, at the cost of delay – for example when programs are swapped back into RAM from disk.

The problem
The problem here is that swap is not ‘cleaned’ by your operating system. Data is written and read, but not erased and only overwritten. Lets say you are running a program to open an encrypted file which has all of your financial accounts, bank account numbers and other sensitive data in it. Then lets say that you minimise this program for a few minutes while you use several other programs. Linux will see the program with your sensitive data is not being used and swap the contents of the RAM it uses to disk. In doing so, all of your sensitive information is written onto disk in an unencrypted format!

The solution
Encrypting your swap partition under Ubuntu is a relatively trivial exercise. Ive been running encrypted swap for nearly 2 years now and I can say I havent noticed a degradation in performance. The overhead seems quite minimal considering whats going on ‘under the hood’

First things first, we need to know where your swap file is located on your hard drive. dmesg can help here (or you could also check /etc/fstab)

# dmesg | grep swap
[   56.308430] Adding 1052248k swap on /dev/sda3.  Priority:-1 extents:1 across:1052248k 

So in my case you can see the swap is on /dev/sda3, so we now know which drive partition to work with. Next thing to do is ensure the system is fully up to date, turn swap off so we can work with the partition and install the necessary files. Ensure to replace /dev/sda3 with the partition you got from dmesg (or /etc/fstab) in the step above:

sudo apt-get update
sudo apt-get upgrade
sudo swapoff /dev/sda3
sudo apt-get install lvm2 cryptsetup

Next up, load the module and verify its running. You should see something like below

# sudo modprobe dm-crypt

# sudo lsmod | egrep 'aes|dm_crypt'
dm_crypt               12928  0
aes_i586                8124  1
aes_generic            27484  1 aes_i586

Now we clear the partition of existing data by filling it with random data. This has two purposes, first so that any old unencrypted data is overwritten and second so that your encrypted data does not stand out if your drive is analysed. What i mean by this is, if you have 750 meg of unused swap and only 250 meg used, then 3/4 of your drive will contain no data at all, just zeros. This makes the encrypted data stick out like a sore thumb. If you fill the drive with random data, the encrypted data just ‘blends in’

sudo dd if=/dev/urandom of=/dev/sda3 bs=1M

Again, replace /dev/sda3 with the partition you got from dmesg or fstab. This command will take a while (about 10 mins or so) and should produce output similar to this:

dd: writing `/dev/sda3': Input/output error
1028+0 records in
1027+0 records out
1077510144 bytes (1.1 GB) copied, 642.306 s, 1.7 MB/s

Then you need to tell crypttab to set up the partition as encrypted swap, again ensure to change /dev/sda3 to your partition:

sudo echo cryptoswap /dev/sda3 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap >> /etc/crypttab

Next, edit the /etc/fstab file and search for the line with ‘swap’ in it. Comment that line out by inserting a ‘#’ character (without quotes) at the beginning of the line, then insert the following line and save the file:

/dev/mapper/cryptoswap none swap sw 0 0

That is now your system set up with encrypted swap. Reboot your system for the changes to be picked up and the encrypted swap to be started. To ensure that the swap partition is encrypted after you boot you can check dmesg again, it should specifically mention cryptoswap:

 # dmesg | grep swap
 [   73.063397] Adding 979924k swap on /dev/mapper/cryptoswap.  Priority:-1 extents:1 across:979924k

If you notice a delay during boot time, or see a message such as ‘waiting for swap’ then move the mouse around a bit. It means the system is low on entropy to generate random data for initialisation of the encryption. It should only take a second or two.

Hope you found this article useful!