In environments such as government companies, users may want to secure their data which can include private customer details. To do so, Linux provides a good number of cryptographic techniques, which can be used to protect data on physical devices such as hard disks or a removable media. One such cryptographic technique uses the Linux Unified Key Setup-on-disk-format (LUKS). This technique allows for the encryption of Linux partitions.
LUKS has the following functionality:
- An entire block device can be encrypted using
LUKS. It’s well suited to protecting data on removable storage media or laptop disk drives. - Once encrypted, the contents of the encrypted block devices are random, thus making it useful for the encryption of swap devices.
- LUKS uses an existing device mapper kernel subsystem.
- It also provides a passphrase strengthener, which helps in protecting against dictionary attacks.
Configuring Encrypted Swap
1. Determine what device to use
You should not use the plain SCSI devices like /dev/sda, /dev/vdb to configure encrypted swap for the reasons mentioned later in the post. Lets take an example of multipath map (e.g., /dev/mapper/mpath1)
2. Choose a name for the dm-device
This name can be completely arbitrary; however, it will be used to form the full path to the swap device, i.e., /dev/mapper/encswap1.
3. Add a new entry to /etc/crypttab
Add a new entry to /etc/crypttab in the form “MAPPING DEV /dev/urandom swap”. For example, in our case the entry can be added as:
# vi /etc/crypttab encswap1 /dev/mapper/volgroup-swaplv /dev/urandom swap
4. Update /etc/fstab
Add a new entry to /etc/fstab to activate the swap device /dev/mapper/encswap1. Again, using a UUID (as is normally common) will not work in this case due to the swap being recreated at each boot.
# vi /etc/fstab /dev/mapper/encswap1 swap swap defaults 0 0
5. Reboot the server
If /etc/crypttab was edited properly, there should be no passphrase prompt during boot and the swap should be automatically activated. Use the following commands to investigate the activated swap:
a. Check if the new swap is activated:
# swapon -s
b. Visualize the relationship between devices:
# lsblk # dmsetup ls --tree
c. See encryption details about the opened device:
# cryptsetup status encswap1
Do not use plain SCSI devices (/dev/sda, /dev/vdb) as encrypted swap
The most secure method for encrypting swap–recommended in this solution–involves automatically re-initializing swap on each boot (both the passphrase-less1 encryption provided by cryptsetup and the formatting provided by mkswap). For this reason, there is no crypt_LUKS UUID to be used in /etc/crypttab for opening the device. This could lead to a dangerous situation with plain SCSI devices like /dev/sda or /dev/vdb.2 Instead, make sure to use devices with deterministic names, e.g.: LVM logical volumes, /dev/mapper/… multipath storage, or GPT-formatted partitions referenced by PARTUUID3.
