o Add a section on swap encryption
o Remove the swap encryption stuff from the disk encryption section Reviewed by: Ken Tom, remko
This commit is contained in:
parent
54861aac29
commit
972e6ca0bd
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=27315
1 changed files with 131 additions and 11 deletions
|
@ -4093,17 +4093,6 @@ Filesystem Size Used Avail Capacity Mounted on
|
|||
<para>More information about the use of &man.geli.8; can be
|
||||
found in the manual page.</para>
|
||||
|
||||
<sect3>
|
||||
<title>Encrypting a Swap Partition</title>
|
||||
|
||||
<para>The following example demonstrates how to create a
|
||||
<command>geli</command> encrypted swap partition.</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/ad0s1b bs=1m</userinput>
|
||||
&prompt.root; <userinput>geli onetime -d -a 3des ad0s1b</userinput>
|
||||
&prompt.root; <userinput>swapon /dev/ad0s1b.eli</userinput></screen>
|
||||
</sect3>
|
||||
|
||||
<sect3>
|
||||
<title>Using the <filename>geli</filename> <filename>rc.d</filename> Script</title>
|
||||
|
||||
|
@ -4130,6 +4119,137 @@ geli_da2_flags="-p -k /root/da2.key"</screen>
|
|||
</sect3>
|
||||
</sect2>
|
||||
</sect1>
|
||||
|
||||
|
||||
<sect1 id="swap-encrypting">
|
||||
<sect1info>
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Christian</firstname>
|
||||
<surname>Brüffer</surname>
|
||||
<contrib>Contributed by </contrib>
|
||||
</author>
|
||||
</authorgroup>
|
||||
</sect1info>
|
||||
|
||||
<title>Encrypting Swap Space</title>
|
||||
<indexterm>
|
||||
<primary>swap</primary>
|
||||
<secondary>encrypting</secondary>
|
||||
</indexterm>
|
||||
|
||||
<para>Swap encryption in &os; is easy to configure and has been
|
||||
available since &os; 5.3-RELEASE. Depending on which version
|
||||
of &os; is being used, different options are available
|
||||
and configuration can vary slightly. From &os; 6.0-RELEASE onwards,
|
||||
the &man.gbde.8; or &man.geli.8; encryption systems can be used
|
||||
for swap encryption. With earlier versions, only &man.gbde.8; is
|
||||
available. Both systems use the <filename>encswap</filename>
|
||||
<link linkend="configtuning-rcd">rc.d</link> script.</para>
|
||||
|
||||
<para>The previous section, <link linkend="disks-encrypting">Encrypting
|
||||
Disk Partitions</link>, includes a short discussion on the different
|
||||
encryption systems.</para>
|
||||
|
||||
<sect2>
|
||||
<title>Why should Swap be Encrypted?</title>
|
||||
|
||||
<para>Like the encryption of disk partitions, encryption of swap space
|
||||
is done to protect sensitive information. Imagine an application
|
||||
that e.g. deals with passwords. As long as these passwords stay in
|
||||
physical memory, all is well. However, if the operating system starts
|
||||
swapping out memory pages to free space for other applications, the
|
||||
passwords may be written to the disk platters unencrypted and easy to
|
||||
retrieve for an adversary. Encrypting swap space can be a solution for
|
||||
this scenario.</para>
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Preparation</title>
|
||||
|
||||
<note>
|
||||
<para>For the remainder of this section, <devicename>ad0s1b</devicename>
|
||||
will be the swap partition.</para>
|
||||
</note>
|
||||
|
||||
<para>Up to this point the swap has been unencrypted. It is possible that
|
||||
there are already passwords or other sensitive data on the disk platters
|
||||
in cleartext. To rectify this, the data on the swap partition should be
|
||||
overwritten with random garbage:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/ad0s1b bs=1m</userinput></screen>
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Swap Encryption with &man.gbde.8;</title>
|
||||
|
||||
<para>If &os; 6.0-RELEASE or newer is being used, the
|
||||
<literal>.bde</literal> suffix should be added to the device in the
|
||||
respective <filename>/etc/fstab</filename> swap line:</para>
|
||||
|
||||
<screen>
|
||||
# Device Mountpoint FStype Options Dump Pass#
|
||||
/dev/ad0s1b.bde none swap sw 0 0
|
||||
</screen>
|
||||
|
||||
<para>For systems prior to &os; 6.0-RELEASE, the following line
|
||||
in <filename>/etc/rc.conf</filename> is also needed:
|
||||
|
||||
<programlisting>gbde_swap_enable="YES"</programlisting>
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Swap Encryption with &man.geli.8;</title>
|
||||
|
||||
<para>Alternatively, the procedure for using &man.geli.8; for swap
|
||||
encryption is similar to that of using &man.gbde.8;. The
|
||||
<literal>.eli</literal> suffix should be added to the device in the
|
||||
respective <filename>/etc/fstab</filename> swap line:</para>
|
||||
|
||||
<screen>
|
||||
# Device Mountpoint FStype Options Dump Pass#
|
||||
/dev/ad0s1b.eli none swap sw 0 0
|
||||
</screen>
|
||||
|
||||
<para>&man.geli.8; uses the <acronym>AES</acronym> algorithm with
|
||||
a key length of 256 bit by default.</para>
|
||||
|
||||
<para>Optionally, these defaults can be altered using the
|
||||
<literal>geli_swap_flags</literal> option in
|
||||
<filename>/etc/rc.conf</filename>. The following line tells the
|
||||
<filename>encswap</filename> rc.d script to create &man.geli.8; swap
|
||||
partitions using the Blowfish algorithm with a key length of 128 bit,
|
||||
a sectorsize of 4096 kilobyte and the <quote>detach on last close</quote>
|
||||
option set:</para>
|
||||
|
||||
<programlisting>geli_swap_flags="-a blowfish -l 128 -s 4096 -d"</programlisting>
|
||||
|
||||
<para>Please refer to the description of the <command>onetime</command> command
|
||||
in the &man.geli.8; manual page for a list of possible options.</para>
|
||||
</sect2>
|
||||
|
||||
<sect2>
|
||||
<title>Verifying that it Works</title>
|
||||
|
||||
<para>Once the system has been rebooted, proper operation of the
|
||||
encrypted swap can be verified using the
|
||||
<command>swapinfo</command> command.</para>
|
||||
|
||||
<para>If &man.gbde.8; is being used:</para>
|
||||
|
||||
<screen>&prompt.user; <userinput>swapinfo</userinput>
|
||||
Device 1K-blocks Used Avail Capacity
|
||||
/dev/ad0s1b.bde 542720 0 542720 0%
|
||||
</screen>
|
||||
|
||||
<para>If &man.geli.8; is being used:</para>
|
||||
|
||||
<screen>&prompt.user; <userinput>swapinfo</userinput>
|
||||
Device 1K-blocks Used Avail Capacity
|
||||
/dev/ad0s1b.eli 542720 0 542720 0%
|
||||
</screen>
|
||||
</sect2>
|
||||
</sect1>
|
||||
</chapter>
|
||||
|
||||
<!--
|
||||
|
|
Loading…
Reference in a new issue