[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [CONTRIBUTE] [DONATE]

Encrypting swap in Debian with a randomly generated passphrase on each startup

Support
#1

I use Debian Gnome as a host for Whonix. The Debian installer offers the possibility to encrypt the /Home directory (encrypted LVM), but it does not offer the feature to also encrypt the swap area (they should add this feature asap). Is it more secure to also encrypt the swap area? And what about the need for it in case you’ve disabled the suspend-to-disk feature? Will the swap area still be used by the OS or is there still a chance that data will be written to swap?

During the installation of the Debian host the LVM created a swap space. But how do I encrypt it so that on each startup the system generates a random password for the swap space? This is more easier than putting two long passphrases (one for /Home directory and one for swap area).

Any help on this will be much appreciated. Thank you!

#2

They need people capable of implementing this.

Is it more secure to also encrypt the swap area?
Yes. For me it is a must have.
And what about the need for it in case you've disabled the suspend-to-disk feature? Will the swap area still be used by the OS or is there still a chance that data will be written to swap?
Yes.
During the installation of the Debian host the LVM created a swap space. But how do I encrypt it so that on each startup the system generates a random password for the swap space?
Difficult question. Difficult to do, I would say.

Since I like the idea “encrypt swap with random password” idea and would like to add this to Whonix anyway… I’ve created a script and software package to do exactly this.

Documentation is sparse. Can only be build and installed from source yet. From Whonix package sources in future as well, but that needs more time. And no one besides me tested it yet. I don’t know if it is compatible with LVM. Probably it is, but no one tested that yet. So better have a backup or test it in a VM first before you get any data loss. Having that said, however, you’re welcome as a tester. It can be found here:

#3

I can’t tell pretty much anything about Debian since it’s not my distro of choice + I heard they recently switched to that ugly and stupid systemd :slight_smile:

However, I do know (and I use this feature for a few years already) that Slackware implements this feature and provides a good HOWTO on enabling it (it’s not enabled by default but doing so either during the install process or manually, later, is really trivial).

References:

http://slackware.at/data/slackware-14.1/README_CRYPT.TXT

See the “Encrypted swap” section for a human-readable intro

http://slackware.at/data/slackware-14.1/source/a/sysvinit-scripts/scripts/rc.S

See lines 132-136, notice the usage of /dev/urandom

NOTES: the links are from a random Slackware mirror. If for some reason they won’t work for you, just pick another mirror and get the files from that location. There’s no reason to download the whole distribution just for that.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]