For a variety of reasons I use Fedora Core 5 as my primary operating system, both at home and on my laptop. And for security reasons, I need to have my filesystem encrypted, so that in the event that my laptop is lost or stolen, my confidential data does not fall into the wrong hands.
Unfortunately, while Fedora Core 5 does support an encrypted swap partition, it doesn’t yet support encrypted root filesystems. (It’s looking like the support won’t make it into Fedora Core 6 either, due to release timing.) However, that doesn’t mean it’s impossible. In fact, I’ve done it. This is the first of a two-part series on encrypting your Fedora Core system.
(Read Part 2: Encrypting your root partition on Fedora Core 5)
In this part I’ll explain how to encrypt your swap space (it’s easy) and in the next part I’ll explain how to encrypt your root filesystem and everything else on your Fedora Core system (it’s a little harder, but not much).
Encrypting your swap space is vital even if you don’t encrypt your entire system, because applications which run on your computer sometimes get swapped out to disk, and with them, sensitive personal information such as passwords could be written into your swap space. And while you don’t have to encrypt your root filesystem in order to encrypt your swap space, it’s listed last because you do have to have a completed installation before encrypting your swap space.
To encrypt your swap space, first shut down any unnecessary applications to free up memory. You’ll have to temporarily turn off swap to complete the process, and if you don’t have very much memory in your computer, you may not be able to turn off swap if too many things are running. (In worst case, you can boot the system to single user mode using /sbin/telinit s which will shut down virtually everything except a single root shell.)
To begin, open a root shell by clicking Applications > Accessories > Terminal, and typing su - at the shell prompt. (If you booted your system to single-user mode, you can skip this, because you’re already at a root shell.)
[user@fedora ~]$
su -
Password:
[root@fedora ~]#
Next, turn off the swap space.
[root@fedora ~]#
swapoff -a
Now, just in case anything sensitive was written to your swap space, we’ll overwrite the entire swap partition with random data using the shred command. This will help prevent recovery of anything that was written in that space before. Even if you’ve just freshly installed your system onto a brand new hard drive and nothing was in that space before, you should do this, because the random data will help obscure the fact that there is encrypted data in the partition. Expect this process to take about 30 minutes to an hour on newer hard drives.
If you installed your system without changing the default partitioning scheme, then your swap partition is located at /dev/VolGroup00/LogVol01. If you changed this during your installation, then you’ll need to substitute your actual swap partition below. If you aren’t sure, then you’ll find the partition listed in your /etc/fstab file; look in there to confirm where it’s located.
[root@fedora ~]#
shred -v /dev/VolGroup00/LogVol01
Next, we’ll create a file to tell Fedora Core that the swap partition should be encrypted. Use your favorite text editor to create a new file named /etc/crypttab and enter the following data into it, separated by tabs:
swap /dev/VolGroup00/LogVol01 /dev/random swap,cipher=aes-cbc-essiv:sha256
This will cause a new device /dev/mapper/swap to be created at next boot which uses the default AES encryption and highly random data for the encryption key. Each time you reboot, the swap space will be re-created using a different random key.
Finally, you need to modify /etc/fstab to point to the new encrypted swap device. Open the file in your favorite text editor, and you’ll find a line such as this:
/dev/VolGroup00/LogVol01 swap swap defaults 0 0
Change it to this:
/dev/mapper/swap swap swap defaults 0 0
Finally, reboot your system (if in single-user mode, use the reboot -n command). You’ll then be using encrypted swap space! But if you don’t want to reboot, create the encrypted swap partition for the first time manually using the following commands:
[root@fedora ~]#
cryptsetup -d /dev/random create swap /dev/VolGroup00/LogVol01
[root@fedora ~]#mkswap /dev/mapper/swap
Setting up swapspace version 1, size = 2147479 kB
[root@fedora ~]#swapon -a
Don’t add those commands to any startup files, because they’ll be done for you automatically when your system boots.
I have tested and verified that this works on Fedora Core 5. It should also work on Fedora Core 4 and Fedora Core 3, after you download the available kernel updates for them, if what I read on the Internet is accurate. But what I read also hints that it may not be cryptographically secure on Fedora Core 2 because the startup scripts don’t initialize the random number generator before enabling swap. If you want to be sure, check the /etc/rc.d/rc.sysinit file, and make sure it seeds the random number generator before activating swap. (It does in recent releases.)
Pingback: Encrypting your root partition on Fedora Core 5 - Life with Linux
Michael,
I am not certain where your hooks for encrypted swap are coming from, but I have followed your directions without success. Maybe you have installed a non-standard package to enable this?
Greg
PS I see that Fedora 6 supports encrypted swap (and non-root filesystems). Here you specifically reference Fedora 5.
Greg, you failed to note exactly what went wrong, so I’m afraid I can’t really help you. You also didn’t leave a legitimate email address, so I can’t contact you either.
I can say that these directions work fine on all of my Fedora Core 5 systems, exactly as provided.
If you want to try again and state exactly what went wrong, then perhaps I can help.
I searched around a little more and found the following:
http://www.saout.de/tikiwiki/tiki-index.php?page=EncryptedSwap
Add the first two lines to rc.sysinit:
cryptsetup -d /dev/urandom create swap /dev/VolGroup00/LogVol01
mkswap /dev/mapper/swap
action $”Enabling swap space: ” swapon -a -e
Ha, I think you’re right. The encrypted swap patch went in as of initscripts-8.35-1. But FC5 is currently at initscripts-8.31.5-1. Somewhere along the way I updated initscripts and forgot about it. Oops!
So these should run unmodified on FC6, but you’ll have to patch on FC5.
I stand corrected.
Hi,
Thanks but I need more info.
What is the default partition scheme that you refer to?
Does one need a seperate, uncrypted /boot partition?
The default is what the Fedora Core installer sets up. Swap has nothing to do with whether you have a /boot partition.
Sorry, for my previous comment, this was in relation to encrypted root.
Can you publish grub.conf and fstab
Second question: is hibernation still possible with encrypted swap.
Thanks many times.
You can’t hibernate with an encrypted swap partition; however, you can set up a second unencrypted partition specifically for hibernation.
If you’re really trying to keep your data secure, though, it would be a good idea to forget about hibernation altogether. I either suspend to RAM, leave it running, or shutdown the laptop, depending on the circumstances and how soon I expect to be using it again.
I’ve tried your instructions and had limited success with the Fedora Core 6 that has just been released. I was getting a “hang” on boot after the message “Starting disk encryption using the RNG:” Oddly enough if I hit the shift key a few times (almost like the boot was waiting for entrophy based off of keypresses). Nevertheless, I found some additional options for crypttab from the release notes here:
http://download.fedora.redhat.com/pub/fedora/linux/core/6/i386/os/RELEASE-NOTES-en_US.html#sn-FileSystems
which seem to do the trick. Thanks for the blog entry, it pointed me in the right direction.
Doug, Fedora’s instructions use less random data, so there’s a security tradeoff there that you should be aware of.
Your system actually was waiting for some entropy to become available. This is normal for a freshly installed system, but as you use it and entropy gets built up (and stored between reboots) this shouldn’t really be an issue.