0

If I have full disk encrypted my laptop which has Ubuntu 12.04, will the thief be able to extract my files from the swap partition? I am assuming s/he will not be able to extract anything from the main partition without doing some form of bruteforce code breaking attach?

oshirowanen
  • 3,977

1 Answers1

2

full disk encrypted my laptop [...] swap partition [...]

It's totally up to you where you put swap partitions. Some typical set ups:

  1. dm-crypt on raw partition and /boot as small plain parition, then on top of the large crypto 'device' as LVM Physical Volume:

    -> LVM Volume Group (one PV as member) crypto -> LVM Logical Volumes:

    • crypto-rootfs as /
    • crypto-homes as /home (optional)
    • crypto-swap as swap (optional)
    • leave some room in the volume group to be able to use LVM's features

    Don't try to set it up the other way around - crypto on top of individual LVs is not going to be of any advantage, but only giving you headaches.

  2. dm-crypt on raw partition as / with separate /boot and separate non-encrypted swap.

    • less flexible, yet more portable without LVM (e.g. FreeOTFE)
    • if more crypto partitions are needed this means multiple times unlocking at boot using passphrases
    • swap could be set up to use a random key crypto on every boot - disables hibernation

  3. The above without any swap. Might be a good idea if you have plenty of RAM anyway.

The 'alternate' installer for 12.04 will allow you to do this in a semi-GUI way. See for example: "How to install Ubuntu 11.04 on an encrypted LVM file system" (while a bit old, still relevant for 12.04).

will the thief be able to extract my files from the swap partition?

Not directly. Swap contains bare memory pages. It would be a hell of puzzle to reassemble this, but even single memory pages might contain too much secret data already. It is considered unsafe to have swap unencrypted. As long as you put your swap op top of a crypto device (no matter using LVM, RAID, or whatever), you're fine.

I am assuming s/he will not be able to extract anything from the main partition without doing some form of bruteforce code breaking attack?

No, it's fairly safe, as that's the whole point of good encryption! To see more about the technical details like the cryptography used, please refer to What is used in the 12.10 full disk encryption? (which also covers 12.04 in my answer).

Security concerns are elsewhere. You'll need a separate unencrypted /boot, no matter how you set it up. It contains kernel and initramfs. If someone can fiddle with the unlocking scripts or even put a backdoor in the kernel, they can steal your secret data. Practical advice: never leave your laptop unattended.

Workarounds for this (advanced set up!):

  • Use a smartcard+reader rather than a password and carry it on your body if your laptop is not in use.
  • Put the dm-crypt encrypted key on a separate flash drive, rather than on the disk itself. Make copies of this encrypted key in case your flash drive dies and put them in a safe where nobody can reach it.
  • Always use a trusted set of kernel and initramfs, for example by using the same USB flash drive as /boot - and always carry this with you.
Community
  • 1
gertvdijk
  • 67,947