On Sat, Jan 05, 2002 at 10:28:33PM +0000, Jon Masters wrote:
> On Sat, 5 Jan 2002, Matthew Sackman wrote:
>
> > On Sat, Jan 05, 2002 at 10:59:23AM +0000, Jon Masters wrote:
> >
> > Um, quite what would be the point of this? Do you encrypt the contents of
> > your RAM?
>
> Huh? If someone nicks a machine using encrypted swap then it's harder for
> them to recover any useful data from it. Said machine is to be used for
> offsite secure backups which are already encrypted using various strong
> crypto and stored on ext3 on LV groups on RAID 5 arrays.
Yes - I forgot (hangs head in shame) that swap is not volatile. Duh.
Which has made me think (shock): another idea would be to, on powerdown
write /dev/random all over your swap partition and then on boot up, get
the initrd image to do a mkswap on that partition before the swapon. Of
course that relies on the machine being switched off nicely before being
stolen, but I suppose it can be used as an additional mechanism: if you
write /dev/random over the partition 10 times or more then it should make
it damn hard to recover what the swap was and then they have to go about
decrypting it...
...OTOH, with 15G of swap that may take a while (though assuming you're
meaning a different machine).
> Anyway, getting back to the point, I had a *pathetic* argument with a
> bunch of guys at a company that I used to work for (which includes a now
> good friend of mine...) over using encrypted swap on BSD boxen and why it
> was probably pointless in the environment it is in. In this case things
> are different since we do not host the machine ourselves and therefore I
> wish to remain as paranoid as possible over anyone obtaining anything
> useful from it should they gain direct access, or it is stolen.
Fair enough, although as you realise, this kind of protection only helps
with physical nicking of the machine: if the machine is hacked then this
doesn't help at all which was the point I was trying to make.
> > If you're machine is being used by other people then they will
> > be able to read RAM and swap contents if they wish.
>
> Explain.
>
> Are you refering to the potential for rooting a box and then reading
> memory, the potential for physical access, or something else. In any case,
> I am the *only* person who has any kind of access to the box in question.
Right - which I didn't know; rooting a box and then reading the memory was
what I was referring to.
> > only if you're machine is stolen whilst it is turned off does this kind
> > of encryption make any difference - it's the same as using encrypted
> > filesystems: has no bonus whilst the machine is in use as the OS has to
> > be able to read and write to the medium. Or am I missing something?
>
> The kernel locks any keys in to memory and so it is not swapped out to
> disk. This means that, yes, someone can obtain physical access while a
> machine is running and obtain the key from memory however this is
> expensive and unlikely, and more to the point I am more concerned with
> ordinary Bill Gates (or Joe Bloggs) in the street having any ability to
> access any useful data at all.
Well, if they have the ability to get the key then I'd assume that they
have the ability to read everything out of the memory anyway: ie they don't
need the key because they can hijack the kernel to decrypt everything
there.
> > > I'll just use remote syslogging for now I think - serial console should
> > > log any future panics . I've installed the serial console now (well it's
> > > there but I'm waiting on adding more serial ports to another box)
> >
> > Well yes - it probably is easier but only if you've got the hardware to do
> > it with - I've never even seen a working serial console... :-(
>
> Huh? I've got serial consoles at home in Reading in case
> apogee.jonmasters.org goes down and needs re-configuration. Pity BT have
> fucked up my backup dialin line but then that's why they owe us 500 quid.
>
> All you need is a null modem cable and a kernel boot parameter (don't
> forget lilo/grub configuration and also add a panic=5 to be sure).
As I implied, I don't have the hardware = no null modem cable! (Plus I don't
think that I even have it compiled in on any machine!).
Matthew
--Matthew Sackman Nottingham England
BOFH Excuse Board: waste water tank overflowed onto computer
This archive was generated by hypermail 2.1.3 : Sat 05 Jan 2002 - 23:00:29 GMT