So, you got your home directory encrypted, but you’re not sure what sensitive material could end up in swap? After a long day of running a whole lot of applications and processes, many interesting things could potentially wind up there. So here’s how to make sure that data is completely garbled after a reboot.
The idea here is to encrypt your swapspace with 256-bit AES, with a random key generated on each boot. The random key is useful, since it avoids having another password prompt at boot, saving the key somewhere (security risk), and because we ourselves normally don’t have any reason to read our own swap after a reboot anyway.
Thankfully, apt makes the whole process very simple:
# apt-get install cryptsetup
This gives up the basic encryption tools and algorithms we can use on our swap space, most importantly the modules “aes” and “sha256_generic”. They should be automatically loaded on boot, but to make sure, I stuff them into my /etc/modules.
# echo "aes" >> /etc/modules # echo "sha256_generic" >> /etc/modules
Also, make sure they’re loaded for now.
# modprobe aes && modprobe sha256_generic
There. Now we’re ready to set it up. First a few sanity checks:
$ lsmod | egrep 'aes|dm_crypt'
This should return both the aes module and the dm_crypt module.
$ ls -l /dev/mapper/
This should exist and contain a device called “control”, maybe more if you have LVM or such setup.
# dmsetup targets | grep crypt
The device mapper should show support for “crypto”
$ cat /proc/crypto | grep name
We should have at least “sha256” and “aes” here.
Okay, enough of that. Let’s go.
First, disable your current swap drive. Mine is /dev/md2, so substitute that with whatever your swap drive is.
# swapoff /dev/md2
Then, if you’re feeling paranoid already, fill the swapspace with random crap. (this can take a long time)
# dd if=/dev/urandom of=/dev/md2 bs=1M
Then put this into /etc/crypttab
cryptoswap /dev/md2 /dev/urandom cipher=aes-cbc-essiv:sha256,size=256,hash=sha256,swap
Why /dev/urandom and not /dev/random? The latter blocks until it has gathered enough entropy to continue, urandom doesn’t. So if you use random instead urandom you might have to wait during boot until enough entropy is collected.
Next, change your swap entry in /etc/fstab to this:
/dev/mapper/cryptoswap none swap sw 0 0
Reboot 🙂