Thursday, July 29, 2010

Encrypting Swap on Fedora 13

In certain circumstances, you wish to add additional security to your Linux system. In particular, you may wish to ensure that sensitive information that may be placed in swap space cannot be retrieved from the swap hard disk partition. In Fedora 13, this is very easy to do. My understanding is this method works on Fedora 6 and later.

To accomplish this without having to reboot, perform the following steps:
  1. Login as root (su -)
  2. Identify your swap partitions (cat /proc/swaps). In this example, I use /dev/sda6 as the swap partition.
  3. Turn off all swap partitions (swapoff -a)
  4. Securely remove all information currently in your swap partition (shred -v /dev/sda6).
  5. Add an entry to the /etc/crypttab file. For most users, this file will not previously exist. (vi /etc/crypttab. Insert: swap /dev/sda6 /dev/random swap,cipher-aes-cbc-essiv:sha256).
  6. Modify the existing /etc/fstab swap entry (vi /etc/fstab. Change the existing swap entry to: /dev/mapper/swap swap swap defaults 0 0).
  7. Create the encrypted swap partition: cryptsetup -d /dev/random create swap /dev/sda6; mkswap /dev/mapper/swap.
  8. Turn the swap partition on (swapon -a)
  9. Verify by: cat /proc/swaps; ls -l /dev/mapper

Wednesday, May 5, 2010

Adding Right-Click Menu Options in Nautilus (Linux)

Nautilus is a file manager for the Gnome desktop. To enhance its capability, you can add functionality by using an addon package called nautilus-actions. If this package is not installed on your system, please install it. RedHat based systems (including Fedora and CentOS) can use: yum install nautilus-actions.

In this example, I'll add the capability to securely delete (using the shred command) files and folders. This example uses a script (which is listed below).

NOTE: On many modern file systems, the shred command may not be completely and securely delete your files. In particular, shred may not be effective on journaling filesystems such as xfs and ext3, as well as filesystems that write redundant data (RAID), write to cache or create snapshots.

Once the package is installed, type "nautilus-actions-config" and the menu editor will appear. Select the Add button and a dialog box will appear. I entered the following values:
  • Label: Shred
  • Tooltip: Securely delete files and folders
  • Icon: gtk-delete
  • Path: /usr/local/bin/shredFiles
  • Parameters: %M
The %M adds the full pathnames of all files and folders that are selected.

On the Conditions tab, I selected the "Both" option and checked "Appears if selection has multiple files or folders".

On the Advanced Conditions tab, I selected the "file" and "smb" options.

Close out of the dialog box, and from a command line type: "nautilus -q" to quit the nautilus file manager. This forces it to read its configuration files again. Start by typing "nautilus" in a command line.

Select one or more files and folders and right-click. Your newly created Shred command should appear. Simpy select the Shred command while the files/folders are selected and they will be securely deleted using the shredFiles script.

The listing of shredFiles is below. Don't forget to add execute permission on the /usr/local/bin/shredFile script!

#!/bin/bash

function _shredFilesOrFolders() {
    if [ $# -ne 1 ]; then
        echo usage: _shredFiles foldername|filename
        exit 1
    else
        arg=$1
        if [ -f $arg ]; then
            chmod 0700 $arg 2> /dev/null
            /usr/bin/shred -fzu $arg
        else
            chmod -R 0700 $arg 2> /dev/null
            find $arg -type f -execdir /usr/bin/shred -fzu {} \;
            /bin/rm -rf $arg
        fi
    fi
}

####################################################

if [ $# -lt 1 ]; then
    echo "usage: shredFiles foldername|filename"
    exit 1
fi

for i in $(seq 1 $#); do
    f=$(eval echo \$$i)
    echo -n "Shredding $f..."
    _shredFilesOrFolders $f
    echo "done"
done