encrypted swappartition

hi
i just installed a 11.3 on my new toughbook cf-30
i configured the swap and home parts to be encrypted.
is there a way that i dont have to enter the password twice? its pretty anoying to have 5 passwords to type in.

  1. bios pwd
  2. pwd 4 swap (wanna get rid of this)
  3. pwd 4 home
  4. user pwd
  5. kwalled pwd ( also need to get rid of it )

please help me

thx

Can’t you just use the current password to change old passwords to no passwords? Who uses bios pwd anyway? I find the avg. user doesn’t even know how to get into their bios.

If you haven’t written down pwds (on paper) and you forget, you’ve hosed your whole system if you

On Sun, 17 Oct 2010 20:06:02 +0000, tararpharazon wrote:

> Who uses bios pwd anyway?

People with laptops with sensitive data on them. Myself, I use the hard
drive password, but some prefer to use the BIOS password.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On 2010-10-17 18:06, soliton wrote:
>
> hi
> i just installed a 11.3 on my new toughbook cf-30
> i configured the swap and home parts to be encrypted.

We are talking about this in the security mail list - you should at least read the archive there
because all the answers are too complex to describe here.

The suse method aplied by yast is, AFAIK, to make the HD as LVM, and put all partitions inside the
LVM: root, swap, home, except boot. It is the LVM which is encrypted, which means only one password.

But there are other methods.

One that I like is that partitions besides “/” have two passwords: one to be typed, and another in a
file (randomly generated). Any of those two passwords can be used. Those files are saved somewhere
in the root partition, and a script there opens them up (you have to create that script) - so you
only type the password for root.

On restore from hibernation, the system should ask the password for the swap partition only.

> is there a way that i dont have to enter the password twice? its pretty
> anoying to have 5 passwords to type in.
> 1. bios pwd
> 2. pwd 4 swap (wanna get rid of this)
> 3. pwd 4 home
> 4. user pwd
> 5. kwalled pwd ( also need to get rid of it )

Bios, user, and kwalled can’t be helped. Well, you might configure for automatic login, which means
you do not write your user password on login.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

On 2010-10-17 22:21, Jim Henderson wrote:

> Myself, I use the hard
> drive password, but some prefer to use the BIOS password.

How do you use the hard drive password in linux? I’m interested in that.

What I know is what man hdparm, paragraph “ATA Security Feature Set”, basically “very dangerous”.
Who ask for the password, Linux? The bios?


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

Granted but I think 20 minutes on google and you can find a crack for bios pwds.

On Mon, 18 Oct 2010 01:28:46 +0000, Carlos E. R. wrote:

> On 2010-10-17 22:21, Jim Henderson wrote:
>
>> Myself, I use the hard
>> drive password, but some prefer to use the BIOS password.
>
> How do you use the hard drive password in linux? I’m interested in that.

I don’t, it’s set at the BIOS level on my laptop. It asks before the
system boots.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On Mon, 18 Oct 2010 15:36:01 +0000, tararpharazon wrote:

> Granted but I think 20 minutes on google and you can find a crack for
> bios pwds.

Which is why I also use encfs for the really sensitive stuff.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Granted but I think 20 minutes on google and you can find a crack for bios pwds.

20 minutes? One straight look into the manual of the respective motherboard will give you the same info a bit faster. :slight_smile:

Slighty OT: is it possible to read data from a swap partition that is usable at all? To me that seems as likely as a →Cold Boot Attack; highly interesting concept, but will that ever happen?

This must seem like a slightly obtuse statement, but because I can’t prove that you can’t, I’ve always assumed that you can. So, anyone with a proof that you can’t would be very welcome…

And you have to cover two cases:

  • the normal ‘swap in use’ case; my assumption is that you’ll get lots of little fragments, most of which will be useless for the bad guys, but some may be useful; it may be that this, given the fragmentation of the data, is just more trouble than its worth, except for special cases, I don’t know. But every time that you make the ‘more trouble than its worth’ assumption in security, someone seems to come along some time later and proves you wrong.
  • the ‘suspend to disk’ case: this may be of no concern if you don’t ever suspend to disk. But it seems that this has more potential to find something other than something other than fragments, but few of them will be useful. That doesn’t mean, however, that none of them are useful.

I think that you have to be a bit paranoid to worry about this, but being a bit paranoid is good, no…

On 2010-10-26 20:36, markone wrote:

> I think that you have to be a bit paranoid to worry about this, but
> being -a bit- paranoid is good, no…

It depends who you work for. I worked sometime for a company that had anti-tempest glass in the
windows of the building. It wasn’t a rumour: cellular phones did not work inside, they had to put
cell nodes inside the building (because many employees had company cellulars).

So the IT personnel investigated systems to encrypt laptop disks. No surprise there.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

Well, my comment wasn’t about paranoid behaviour really, but rather about the question whether it does matter at all if swap is encrypted or not. I have an encrypted partition as well (meaning a regular one), because I don’t want anyone to have access to certain files when I am not around. But swap? The pointer to ‘suspend to disk’ is a good one, although I am not sure how data is stored in a swap partition and whether it actually could be restored and read (and, if possible, how that could be done).

On 2010-10-27 00:36, gropiuskalle wrote:
>
> Well, my comment wasn’t about paranoid behaviour really, but rather
> about the question whether it does matter at all if swap is encrypted or
> not.

The type of company I worked for was not simply paranoid: they knew those things could be done, I
think because they had the means to do it if they wanted. I mean, they took those precautions
because they feared enemies that could dig data out of the radiated energy of monitors (that’s what
anti-tempest was for). So, yes, I’m certain that data can be digged out of swaps.

> I have an encrypted partition as well (meaning a regular one),
> because I don’t want anyone to have access to certain files when I am
> not around. But swap? The pointer to ‘suspend to disk’ is a good one,
> although I am not sure how data is stored in a swap partition and
> whether it actually could be restored and read (and, if possible, how
> that could be done).

It is a memory copy, as is. Plain, unencrypted. They search for strings, normally, but knowing the
operating system they could reconstruct everything that was loaded, the full status. Knowing the
apps (and they have the source, it is linux), they can get where each variable is saved. Perhaps
enough info to decrypt the encrypted partitions.

With a lot of effort, of course, not for mere mortals :slight_smile:


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

I don’t doubt it (the idea of being able to read data from swap, not the radiation idea, that seems pretty much nonsense to me :wink: ), but I want to know. How does one mount a swap partition from an external system (as it doesn’t even have a file system)? How does one read data from it? And if that is possible, couldn’t that be easily prevented by overwriting swap with random numbers on each bootdown?

Hello,

just in reply to Post 1: Doing it as described here SBD:Encrypted root file system - openSUSE and using the same pw for swap and root will need just one pw-input during boot.

Regards, user2304.

On 2010-10-27 19:06, user2304 wrote:
>
> Hello,
>
> just in reply to Post 1: Doing it as described here ‘SBD:Encrypted root
> file system - openSUSE’
> (http://en.opensuse.org/SBD:Encrypted_root_file_system) and using the
> same pw for swap and root will need just one pw-input during boot.

The article is not up to date. It was written more or less for 10.3. The ideas can be used, with
modifications. The mail thread I mentioned at the start of this forum thread has some.

The current method for 11.2 and beyond is to create an encrypted LVM partition on which the entire
system (swap, root, home) is placed. Thus there is only one password, for the LVM. It needs a
separate /boot, not encrypted.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

On 2010-10-27 18:06, gropiuskalle wrote:
>
> I don’t doubt it (the idea of being able to read data from swap, not the
> radiation idea, that seems pretty much nonsense to me :wink: ),

I assure you that it is true. Google for “tempest” :slight_smile:

> but I want
> to know. How does one mount a swap partition from an external system
> (as it doesn’t even have a file system)? How does one read data from it?
> And if that is possible, couldn’t that be easily prevented by
> overwriting swap with random numbers on each bootdown?

The interesting swap is the one from an hibernation, not a normal one. You need to boot another
system and then add the one to investigate externally. Not as swap, but as rean-only data. You would
need to use special tools, I wouldn’t know how to proceed, it would take me years: i only know the
theory.

A normal swap usually has very little information. Yes, being paranoid you would overwrite all of it
before powerdown, but encrypting it is faster.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

I assure you that it is true. Google for “tempest” :slight_smile:

I just did I am flabbergasted! Thank you for the pointer, it really sounded like a conspiracy theory to me at first.

A normal swap usually has very little information. Yes, being paranoid you would overwrite all of it
before powerdown, but encrypting it is faster.

True. Again, thank you. I file that under “for the overly paranoid who also wear aluminium-hats¹”. :slight_smile:

¹Referring to your common home desktop user; I do understand that at some level such precautions might indeed be needed.

On 2010-10-28 02:06, gropiuskalle wrote:
>
>> I assure you that it is true. Google for “tempest” :slight_smile:
>
> I just did I am flabbergasted! Thank you for the pointer, it really
> sounded like a conspiracy theory to me at first.

I know… just imagine my surprise when they told me that the company I had started to work for
actually took measures to impede it - so serious they believed the menace.

>> A normal swap usually has very little information. Yes, being paranoid
>> you would overwrite all of it
>> before powerdown, but encrypting it is faster.
>
> True. Again, thank you. I file that under “for the overly paranoid who
> also wear aluminium-hats¹”. :slight_smile:
>

Indeed :slight_smile:

On the other hand, if you work for a company and some important data is in your laptop, and it is
stolen… Me, I would worry.

> ¹Referring to your common home desktop user; I do understand that at
> some level such precautions might indeed be needed.

Correct. However, you may consider it as training for the moment you really need it - if you do.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)