2008-03-02

Sysadmin Sunday: Encrypted Swap Space in FreeBSD

New research shows that cold boot attacks can compromise encryption by giving you access to the RAM's contents. This even applies to full-disk encryption that encrypts swap space and whatnot. We'll probably talk more about that in our podcast.

Physical access almost always means that a total compromise of security is somehow possible. Sensitive data could be at risk long after the data in RAM decays into oblivion. Encryption keys, large documents, and other files containing data you don't want falling into the wrong hands will almost certainly see their fair share of time in virtual memory. That means pages of RAM will be written, for better or worse, to the hard drive.

Encrypting just your swap space can be easier than switching to full-disk encryption and makes it more difficult for an attacker to obtain sensitive data as it gets shuffled in and out of RAM.

OpenBSD encrypts swap by default without any further action. To the best of my knowledge it's alone in that fact. I can't outline how to encrypt swap space in every operating system, but since FreeBSD's the flavor-du-jour, I'll show you how easy it can be.

First, disable swap:

[axon@floaty-fbsd ~]$ sudo swapoff -a
swapoff: /dev/ad0s1b: Cannot allocate memory
Whoops! If there's too much stuff running to fit in RAM without swap, you'll need to cut back. Close your applications, stop the X Window system or whatever you have to do. Let's try that again.
[axon@floaty-fbsd ~]$ sudo swapoff -a
Now, find the swap partition and over-write it using dd(1) to stream /dev/urandom to it. It could take a while depending on the size of the swap partition. Yes, this is a paranoia countermeasure and nothing more. Keep in mind that only freshly-used parts of swap will be encrypted once we're finished. Right now, there could be (ab)usable data out there. Not for long!
[axon@floaty-fbsd ~]$ grep swap /etc/fstab
/dev/ad0s1b none swap sw 0 0
[axon@floaty-fbsd ~]$ sudo dd if=/dev/urandom of=/dev/ad0s1b
dd: /dev/ad0s1b: end of device
464657+0 records in
464656+0 records out
237903872 bytes transferred in 88.835558 secs (2678025 bytes/sec)
To enable GEOM ELI on your swap partition, edit /etc/fstab and add ".eli" to the end of the swap device.

[axon@floaty-fbsd ~]$ sudo vi /etc/fstab
change this line:
/dev/ad0s1b none swap sw 0 0
to this:
/dev/ad0s1b.eli none swap sw 0 0
You have to reboot for this to take effect. Once it comes back online, use kldstat and swapinfo to verify that the geom_eli.ko module is loaded and that the new swap device is being used.

[axon@floaty-fbsd ~]$ kldstat
Id Refs Address Size Name
1 10 0xc0400000 7b2d2c kernel
2 1 0xc0bb3000 6974 snd_ich.ko
3 2 0xc0bba000 239a8 sound.ko
4 1 0xc0bde000 5c304 acpi.ko
5 1 0xc1f19000 e000 geom_eli.ko
6 1 0xc1f27000 19000 crypto.ko
7 1 0xc1f40000 a000 zlib.ko
8 1 0xc21ec000 2000 warp_saver.ko
[axon@floaty-fbsd ~]$ swapinfo
Device 1K-blocks Used Avail Capacity
/dev/ad0s1b.eli 232328 0 232328 0%
Voila!

blog comments powered by Disqus