Use random encryption key for swap partition #977
Comments
|
By default there is only one encrypted partition, with LVM on it. Did Best Regards, |
|
Yes, btrfs. |
|
This was also the same behaviour in Release2.
In Ubuntu I set the swap to use random password on boot.
|
|
Having a swap partition with a static key can be a privacy problem for any software that deals with ephemeral keys or if you have encrypted contents (such as gpg keys or dmcrypt volumes) inside your primary partition. Would it be a huge overtaking to add an option to the bootloader for having random passphrases? (I'm aware this disables suspend-to-disk) |
marmarek
added
T: enhancement
|
I think, instead of solving original issue, we should just change swap partition setup to use random key (if it is installed as separate partition, not on the same encrypted LVM as root filesystem). This way it will additionally ease #904. |
|
@marmarek Ephemeral swap also works around #978. I used this script to convert my swap: https://gist.github.com/rustybird/917ac2560fe4e9541d1f |
Is the concern that if a single passphrase is used to encrypt both (Note: I'm not saying we shouldn't do it or that it's not important; I'm just saying it doesn't seem as important in Qubes compared to other OSes. It still strikes me as worthwhile.)
Xen (and, therefore, Qubes) doesn't support suspend-to-disk, so no loss there. |
|
@axon-qubes
Yes, exactly that. If a user is recorded in, say, a foreign airport, while typing their password, presumed volatile data (such as decrypted gpg keys or ephemeral OTR keys held in memory) should not be compromised as well. If Qubes/Xen doesn't suspend-to-disk I see no benefit of not doing this. Another problem pertains to appvms swapping to disk in |
marmarek
added
the
help wanted
andrewdavidwong
changed the title
|
Any update on this? |
|
@starius: Not that I'm aware of. |
|
This one seems to be easy to implement in existing installation by hand (I actually have it done.), but I am not sure how hard is it to add it to the installer. The encrypted swap should be outside of encrypted main LVM-on-LUKS, because doing so would mean double encryption, which would mean some extra overhead. The /etc/crypttab supports swap flag which automatically formats the device to swap. The drawback is it implies plain mode (i.e., no LUKS header), which means it has no persistent UUID. In such case, you have to address is directly by /dev/sdaX (or /dev/sdbX), which is not a good practice. Fortunately, there is a workaround: Put the swapfile into a LVM, effectively getting swap-on-dm-crypt-on-LVM setup. The main drawback of dm-crypt-on-LVM (instead of LVM-on-LUKS) is it might add some attack surface for those who try to bypass AEM. With GPT, we could get rid of LVM for swap: We can use /dev/disk/by-partuuid or /dev/disk/by-partlabel. But I am not sure if it is a good idea to require GPT: My old laptop was unable to boot with GPT, requiring MBR. (I don't care much about my old laptop that will not work with Qubes 4 anyway, but there might be other people facing similar issues.) Well, Qubes 4 will reduce support for old hardware anyway, but I am still not sure if requiring GPT would be a good idea. On the other hand, requiring GPT for this specific feature (let's call it "ephemeral swap") would be probably OK. It is better to have this feature on modern hardware only than not to have it at all. Moreover, modern hardware is likely to use GPT. Some notes:
EDIT: Fixed dm-crypt vs. LUKS. |
|
@v6ak Thank you for your answer! Can we enable swap not at boot but later (after dom0 is running). If there was free partition for that on /dev/sda I could do it easily with a script. But there are only two partitions: for LUKS and for /boot (btw /boot also worth encrypting to avoid possible leaks about system setup; it is possible with recent grub). |
|
Can we enable swap not at boot but later (after dom0 is running).
I used to have this setup with Ubuntu (intentional delay in order to reduce HDD operations on boot), but I am not sure if there are huge advantages. Maybe it could help on low-entropy setups with startup time.
If
there was free partition for that on /dev/sda I could do it easily with
a script.
As I have written, the hardest problem is how to identify the partition:
* Traditional /dev/sdaX – not generally recommended. AFAIR, when having two drives, you might get nondeterministically swapped them etc. You might also intentionally swap the two devices, which could lead to erasure of random partition on one of the drives. The solution might be OK for some specific setup, but I would not recommend it as a general solution.
* Labels and UUIDs – they are either FS-specific (and plain dm-crypt does not have them) or partition-table-specific (supported by GPT, unsupported by MBR)
* LVM – adds attack surface for AEM.
But there are only two partitions: for LUKS and for /boot
Do you mean the default layout?
(btw /boot also worth encrypting to avoid possible leaks about system
setup; it is possible with recent grub).
I don't think this will work with UEFI. Moreover, I don't see much benefit of it.
|
|
In R4.1, this was partially implemented for domU VMs (using a pool level flag that currently defaults to disabled here): #6958 IIRC, full implementation for domU VMs is slated for R4.2. B |
Normally, the disk password entered during the boot process is used to decrypt both the root partition and the swap partition.
But if a wrong password is entered initially, subsequent tries prompt separately for the root partition and the swap partion password, i.e. you have to enter the same password twice now. This can be observed by looking at the LUKS UUIDs in the console (after pressing <ESC> to leave the plymouth splash screen) or the journal.
(Tested on Qubes 3.0 RC1)
The text was updated successfully, but these errors were encountered: