0

Clearly this is an issue and likely it has a solution which might be:

  1. This is not required because...
  2. This is impractical because... [2 passwords on suspend, for example]
  3. Oh. Yeah, we fixed that in version XYZ. Do Q and it will work fine.
  4. You're hosed unless you can write C++ and can code it yourself.

Drive in question is an SSD.

IMHO Suspend is something modern computers can do. What I don't understand is why Full Disk Encryption isn't full disk. That seems like a bug.

NonYaBidnezz
  • 167
  • This question might better fit [security.se]. A few additional questions: If you are afraid about your swap partition, are you afraid about your RAM, too? What about disabling swap? – Melebius Sep 20 '18 at 12:36
  • 1
    What version of Ubuntu are you using? I tested an FDE installation, and the swap partition is created within the LVM PV that is LUKS encrypted. Hence, swap is also encrypted. There is only one partition that is not LUKS encrypted, the /boot partition. If you're running an EFI system, there should be exactly 2 partitions that are not encrypted, the /boot and /boot/efi partitions. – b_laoshi Oct 16 '18 at 00:50

2 Answers2

4

Encryption of swap isn't usually done because of the time required to encrypt writes and decrypt reads -- swap, by its nature, needs to be as fast as possible, because swap space is more or less standing in for RAM you can't afford or don't have slots for.

I would point out, however, that if someone is pulling data out of your swap partition, your computer is already fully compromised -- either the attacker is at console and has rebooted to another OS (from a USB stick, perhaps), or they've gained full control of your system remotely and, at the least, dismounted the swap in order to apply read-write access.

That is to say, if swap partition security matters, swap partition security probably doesn't matter, because the attacker pwns everything on your system anyway -- even if they can't steal you "whole disk encrypted" storage, they can hold it hostage, or install software that will replicate and transmit every read and write in the unencrypted form.

Zeiss Ikon
  • 5,128
  • OK, what about a system that securely wipes space used when it is released? It could be back-grounded during operation and it could have most of the systems resources on shutdown. – NonYaBidnezz Sep 20 '18 at 12:28
  • 1
    @NonYaBidnezz As I understand it, swap is not "released" at any time during normal operation -- and making this secure wipe part of shutdown would leave the swap vulnerable to "hard power down" attacks. Bottom line, if someone can access your swap, they can probably also access your RAM and steal your data that way, even if swap is secured. – Zeiss Ikon Sep 20 '18 at 12:32
  • This is for a laptop. The concern is that it might fall into the wrong hands although that sure as heck isn't Plan A. ;-) The idea is to secure it as well as possible. – NonYaBidnezz Sep 20 '18 at 12:34
  • 1
    The bottom line to all computer security is that if someone has physical access and time to work, there's nothing you can do to be fully secure. Even your encrypted storage can be compromised, given an attacker with the right tools and enough time to work. – Zeiss Ikon Sep 20 '18 at 12:38
  • @NonYaBidnezz FWIW, however, most stolen laptops wind up in a pawn shop with a freshly installed copy of Windows that doesn't match the product ID sticker on the bottom of the machine. – Zeiss Ikon Sep 20 '18 at 12:40
  • It sounds to me like there is no point to encryption at all. ...unless you can put swap in a RAM drive. That is the same as having no swap though. – NonYaBidnezz Sep 20 '18 at 12:41
  • For the record, this is an SSD. Wipe should be quick. – NonYaBidnezz Sep 20 '18 at 12:45
  • Modern encryption is strong enough that most thieves won't bother trying to decrypt a drive, they'll just repartition it and install a fresh OS and either use the machine or sell it. That in itself makes it worth doing -- better they get your hardware than your entire life, after all. Modern tools are good enough, however, that if the CIA or NSA (or equivalent) want your data, you can't keep it from them forever. – Zeiss Ikon Sep 20 '18 at 12:53
1

While there are reasons not to encrypt swap, I would also argue that there are reasons a person might want to. Tightening security (physical or digital) always restricts and slows access. That's not a reason to avoid a given security measure. As pointed out in another answer, when RAM is full, it is desirable that swap work as quickly as possible.

That being said, if the content that may reside in swap is sensitive enough there may be cases in which the performance trade-off may be justified. By default, the ubuntu installer (I checked 18.04 and 16.04) creates the swap partition in the LUKS-encrypted, LVM2 partition when selecting FDE during installation. Hence, swap is encrypted.

If for some reason, your swap partition is not encrypted, you can still encrypt it. If you're using LVM, and the LVM partition is already LUKS encrypted, you could simply resize the file systems within LVM to make space for swap and then create a logical volume for swap. The resizing of the filesystems may need to be done from a bootable USB. Update your /etc/fstab file and you're done.

If you want to encrypt an existing non-encrypted swap partition, that is also possible, but takes a little more work. I'll list out the general steps.

  1. While booted into your system, swapoff your swap partition.
  2. Use cryptsetup luksFormat ... to encrypt the former swap partition.
  3. Generate a key file to use for decryption and add it as a decryption key.
  4. Decrypt the LUKS partition you just set up.
  5. run mkswap on the decrypted partition.
  6. Optionally remove the password you used when you set up LUKS encryption.
  7. Save your key file as /root/keyfile
  8. Update your /etc/crypttab file to include an entry that decrypts your swap partition using the key file, /root/keyfile.
  9. update your /etc/fstab file to mount the encrypted swap (you need to get the UUID of the decrypted swap partition.)
  10. Run sudo update-initramfs -k all -c to recreate your boot files
  11. Finally, run sudo update-grub

Now swap is encrypted. When you boot, you'll put in the password to decrypt /. With root decrypted, /root/keyfile can be used by the system to automatically decrypt your swap partition.

There is a great write-up here about encrypting multiple partitions with a single passphrase. Since you're only trying to encrypt a swap partition, you can do it while booted into your installed system.

b_laoshi
  • 4,660
  • 4
  • 25
  • 46