Changes between Version 13 and Version 14 of doc/OperationalSecurity


Ignore:
Timestamp:
Apr 23, 2010, 4:47:35 AM (10 years ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/OperationalSecurity

    v13 v14  
    1212operating  system has such an option. On some operating systems, it is
    1313possible to have swap space be a file on an encrypted filesystem.
    14 
    15 '''Linux'''
    16 
    17 For 2.4 kernels you either need the [http://loop-aes.sourceforge.net/ loop-AES] or the [http://www.kernel.org/pub/linux/kernel/crypto/v2.4/testing/  Cryptoloop] patch. A forward port of the Cryptoloop patch is available [http://www.northernsecurity.net/download/patch-cryptoloop-jari-2.4.27.0  here].
    18 
    19 When compiling the kernel include CONFIG_BLK_DEV_CRYPTOLOOP=y and the ciphers you want to support.
    20 
    21 Sample script to encrypt swap and /tmp.
    22 It encrypts /dev/hda2 (swap) and /dev/hda5 (/tmp) with AES.
    23 If you want a more complex setup (random chipers etc) check out [http://www.northernsecurity.net/download/encswap.tar.gz EncSwap].
    24 
    25 {{{
    26 #!/bin/sh
    27 pw(){
    28          dd if=/dev/urandom bs=1 count=256 2> /dev/null \
    29                   | head -n 2 | tail -n 1 | tr [+/=] 0-9
    30 }
    31 
    32 echo -n "Building encrypted swap-device... "
    33 swapoff /dev/loop1
    34 losetup -d /dev/loop1
    35 
    36 pw | losetup -e aes -k 256 -p 0 /dev/loop1 /dev/hda2
    37 mkswap /dev/loop1
    38 swapon -p 1 /dev/loop1
    39 
    40 echo -n "Building encrypted /tmp ... "
    41 umount /dev/loop3
    42 losetup -d /dev/loop3
    43 
    44 pw | losetup -e aes -k 256 -p 0 /dev/loop3 /dev/hda5
    45 mkfs -t ext2 /dev/loop3
    46 mount -o nosuid,nodev -t ext2 /dev/loop3 /tmp
    47 chmod 1777 /tmp
    48 }}}
    49 
    50 More details: [http://www.tldp.org/HOWTO/Cryptoloop-HOWTO/  Cryptoloop-HOWTO]
    51 
    52 On Debian, running at least a 2.6.4 kernel, encrypting swap is simple as doing
    53 a aptitude/apt-get install cryptsetup.
    54 After you compiled support for [http://www.saout.de/misc/dm-crypt/  DM-CRYPT] (CONFIG_BLK_DEV_DM=y CONFIG_DM_CRYPT=y) and
    55 the ciphers you want to support add the following to /etc/crypttab
    56 
    57 {{{
    58 # <target device> <source device> <key file> <options>
    59 swap                    /dev/hda2 /dev/urandom swap
    60 }}}
    61 
    62 where /dec/hda2 is your swap-device.
    63 Reboot.
    64 You should see something like
    65 {{{
    66 Adding 104412k swap on /dev/mapper/swap.  Priority:1 extents:1
    67 }}}
    68 
    69 /proc/swaps should include
    70 {{{
    71 /dev/mapper/swap                        partition       104412  0       1
    72 }}}
    73 
    74 A quick and dirty script to encrypt /tmp which is located on /dev/hda5 in this example:
    75 
    76 {{{
    77 #
    78 # dmcrypt /tmp
    79 #
    80 cryptsetup remove tmp 2> /dev/null > /dev/null
    81 echo -n "Encrypting /tmp ..."
    82 cryptsetup -d /dev/urandom create tmp /dev/hda5
    83 mkfs.ext2 /dev/mapper/tmp  2> /dev/null > /dev/null
    84 echo " Done"
    85 }}}
    86 
    87 '''Windows'''
    88 
    89 You're able clean the swap in Windows 2000/XP by enabling "Shutdown: Clear
    90 virtual memory pagefile" in you local security policy.
    91 For Windows 95/NT visit [http://www.stack.nl/~galactus/remailers/wipeswap.html this page].
    9214
    9315{{{
     
    15779== Operating System Paranoia ==
    15880
    159 Some operating systems come in "high security" flavors, such as Security
     81Some operating systems come in "high security" flavors, such as Secur
    16082Enhanced  Linux,  TrustedBSD and OpenBSD. These systems offer advanced
    16183security mechanisms such as mandatory access control (MAC), application