Thursday, July 29, 2010

Encrypting Swap on Fedora 13

In certain circumstances, you wish to add additional security to your Linux system. In particular, you may wish to ensure that sensitive information that may be placed in swap space cannot be retrieved from the swap hard disk partition. In Fedora 13, this is very easy to do. My understanding is this method works on Fedora 6 and later.

To accomplish this without having to reboot, perform the following steps:
  1. Login as root (su -)
  2. Identify your swap partitions (cat /proc/swaps). In this example, I use /dev/sda6 as the swap partition.
  3. Turn off all swap partitions (swapoff -a)
  4. Securely remove all information currently in your swap partition (shred -v /dev/sda6).
  5. Add an entry to the /etc/crypttab file. For most users, this file will not previously exist. (vi /etc/crypttab. Insert: swap /dev/sda6 /dev/random swap,cipher-aes-cbc-essiv:sha256).
  6. Modify the existing /etc/fstab swap entry (vi /etc/fstab. Change the existing swap entry to: /dev/mapper/swap swap swap defaults 0 0).
  7. Create the encrypted swap partition: cryptsetup -d /dev/random create swap /dev/sda6; mkswap /dev/mapper/swap.
  8. Turn the swap partition on (swapon -a)
  9. Verify by: cat /proc/swaps; ls -l /dev/mapper