Encrypting your swap partition on Fedora Core

Note: This information is obsolete and is maintained for historical purposes only. To encrypt your Fedora Core system, check the “Encrypt system” checkbox during installation.

For a variety of reasons I use Fedora Core 5 as my primary operating system, both at home and on my laptop. And for security reasons, I need to have my filesystem encrypted, so that in the event that my laptop is lost or stolen, my confidential data does not fall into the wrong hands.

Unfortunately, while Fedora Core 5 does support an encrypted swap partition, it doesn’t yet support encrypted root filesystems. (It’s looking like the support won’t make it into Fedora Core 6 either, due to release timing.) However, that doesn’t mean it’s impossible. In fact, I’ve done it. This is the first of a two-part series on encrypting your Fedora Core system.

(Read Part 2: Encrypting your root partition on Fedora Core 5)

In this part I’ll explain how to encrypt your swap space (it’s easy) and in the next part I’ll explain how to encrypt your root filesystem and everything else on your Fedora Core system (it’s a little harder, but not much).

Encrypting your swap space is vital even if you don’t encrypt your entire system, because applications which run on your computer sometimes get swapped out to disk, and with them, sensitive personal information such as passwords could be written into your swap space. And while you don’t have to encrypt your root filesystem in order to encrypt your swap space, it’s listed last because you do have to have a completed installation before encrypting your swap space.

To encrypt your swap space, first shut down any unnecessary applications to free up memory. You’ll have to temporarily turn off swap to complete the process, and if you don’t have very much memory in your computer, you may not be able to turn off swap if too many things are running. (In worst case, you can boot the system to single user mode using /sbin/telinit s which will shut down virtually everything except a single root shell.)

To begin, open a root shell by clicking Applications > Accessories > Terminal, and typing su - at the shell prompt. (If you booted your system to single-user mode, you can skip this, because you’re already at a root shell.)

[user@fedora ~]$ su -
[root@fedora ~]#

Next, turn off the swap space.

[root@fedora ~]# swapoff -a

Now, just in case anything sensitive was written to your swap space, we’ll overwrite the entire swap partition with random data using the shred command. This will help prevent recovery of anything that was written in that space before. Even if you’ve just freshly installed your system onto a brand new hard drive and nothing was in that space before, you should do this, because the random data will help obscure the fact that there is encrypted data in the partition. Expect this process to take about 30 minutes to an hour on newer hard drives.

If you installed your system without changing the default partitioning scheme, then your swap partition is located at /dev/VolGroup00/LogVol01. If you changed this during your installation, then you’ll need to substitute your actual swap partition below. If you aren’t sure, then you’ll find the partition listed in your /etc/fstab file; look in there to confirm where it’s located.

[root@fedora ~]# shred -v /dev/VolGroup00/LogVol01

Next, we’ll create a file to tell Fedora Core that the swap partition should be encrypted. Use your favorite text editor to create a new file named /etc/crypttab and enter the following data into it, separated by tabs:

swap    /dev/VolGroup00/LogVol01    /dev/random    swap,cipher=aes-cbc-essiv:sha256

This will cause a new device /dev/mapper/swap to be created at next boot which uses the default AES encryption and highly random data for the encryption key. Each time you reboot, the swap space will be re-created using a different random key.

Finally, you need to modify /etc/fstab to point to the new encrypted swap device. Open the file in your favorite text editor, and you’ll find a line such as this:

/dev/VolGroup00/LogVol01    swap    swap    defaults    0 0

Change it to this:

/dev/mapper/swap    swap    swap    defaults    0 0

Finally, reboot your system (if in single-user mode, use the reboot -n command). You’ll then be using encrypted swap space! But if you don’t want to reboot, create the encrypted swap partition for the first time manually using the following commands:

[root@fedora ~]# cryptsetup -d /dev/random create swap /dev/VolGroup00/LogVol01
[root@fedora ~]# mkswap /dev/mapper/swap
Setting up swapspace version 1, size = 2147479 kB
[root@fedora ~]# swapon -a

Don’t add those commands to any startup files, because they’ll be done for you automatically when your system boots.

I have tested and verified that this works on Fedora Core 5. It should also work on Fedora Core 4 and Fedora Core 3, after you download the available kernel updates for them, if what I read on the Internet is accurate. But what I read also hints that it may not be cryptographically secure on Fedora Core 2 because the startup scripts don’t initialize the random number generator before enabling swap. If you want to be sure, check the /etc/rc.d/rc.sysinit file, and make sure it seeds the random number generator before activating swap. (It does in recent releases.)