Everytime you open files, enter passwords, and do things on your computer, data is being opened in RAM. And over time, that data in RAM can get saved to your swap (located on your hard drive) as the system needs more RAM.
Due to this, sensitive information in RAM can make it onto your swap, and thus your hard drive.
And this data can be recovered later by others.
To prevent this, you can encrypt your swap, making it harder to recover. There are many ways to do this. We will cover a few here.
Warning
Encrypting a swap will not protect the system while running. It only protects data when the system is off.
This document assumes you understand command line, creating swaps, editing of system files, etc.
Warning
Following these steps could destroy your system, its data, and/or make it unbootable. If that sounds scary, consider learning and then doing these steps on a test system or Virtual Machine that you can loose (snapshot first!).
Crypttab
There’s a file called /etc/crypttab that can be used to specify encrypted devices and files that the system is supposed to load up on boot. On systemd systems this is used by systemd-cryptsetup-generator to create unit files to load the devices/files.
The format is fairly simple. There are four columns. From the man page:
- The first field contains the name of the resulting encrypted block device; the device is set up within /dev/mapper/.
- The second field contains a path to the underlying block device or file, or a specification of a block device via “UUID=” followed by the UUID.
- The third field specifies the encryption password. If the field is not present or the password is set to “none” or “-”, the password has to be manually entered during system boot. Otherwise, the field is interpreted as an absolute path to a file containing the encryption password. (Do not use /dev/random).
- The fourth field, if present, is a comma-delimited list of options.
Let’s show some examples of how to do this.
With a Set Password
In this example we will create an encrypted swap device that has a password that must be entered on each boot.
Note
This section introduces the encrypted swap idea. However, with a set password the data is kept between reboots. It is encrypted, but an attacker could recover sensitive data from it if they obtain the password.
See the next sections for creating an encrypted swap with a new randomly generated password for each boot.
Comment out any swap entry(s) in your /etc/fstab file.
To find out what your swap file is:
- look in
/etc/fstab. - or use
fdisk -l /dev/sdXto list your partitions.
In this example, we’ll say the encrypted swap device is /dev/sdXY.
But before that, fill the device with random data. Otherwise it’s easy to see how much random data is on the drive.
Warning
All data will be permanently erased on the drive! As they say: “Measure twice, cut once.”
dd if=/dev/urandom of=/dev/sdXY bs=10M
Now, setup the encryption. The prompted password will need to be entered each time the system starts. (See man cryptsetup for other options).
cryptsetup luksFormat /dev/sdXY
And then mount it up
cryptsetup luksOpen /dev/sdXY cryptswap
It will create a device at /dev/mapper/cryptswap. Anything written here will be encrypted and save to /dev/sdXY as encrypted data.
Now we need to format it as a swap.
mkswap /dev/mapper/cryptswap
And now we can run swapon /dev/mapper/cryptswap and we’ll see it’s in the system.
We don’t want to specify /dev/sdXY in our fstab, because if the partition order (or disk order) is changed, then the system may look in the wrong location for it.
Instead, we’ll specify the uuid of the partition. So find it:
cryptsetup luksDump /dev/sdXY | grep UUID
Which will show something like this, where the second part is the uuid of the encrypted area.
UUID: 1234567-890ab-cdef-987654321
To start it up when we boot, we need to add it to our /etc/crypttab file:
cryptswap UUID=1234567-890ab-cdef-987654321 none luks
That tells it to find the uuid of 1234567-890ab-cdef-987654321 (which will point to /dev/sdXY) as the source device, that is a luks format, and to save it as /dev/mapper/cryptswap. The none says that it requires a password to be created.
Now, that will create the encryption device. But it won’t load the swap. That’s for fstab. In your /etc/fstab put:
/etc/mapper/cryptswap none swap defaults 0 0
which will do the loading of the swap. And that’s it. Next time you reboot, you’ll be prompted to enter your password for your swap.
With a Random Key
Let’s say we have a server, and we want to have the ability to encrypt the swap, but we don’t want to have to enter in the password each time it boots.
Or if we are concerned about data being saved to the swapfile and later recovered, then this can help mitigate it.
Note
Hard drives tend to keep deleted data around. So if the previous key(s) are compromised, an attacker may be able to use those key(s) to decrypt recovered swap data.
To do this, we can either use a keyfile, or have the system create a random key for the swap. The first one is fairly simple, and you can do the same as the above section, substituting in a key for your password (hint: the key option for cryptsetup is --key-file).
But in this example, we will take it one step further and make the swap file make a random key on each boot. That way, what happens on one boot is unknown to the next.
We will use a system that has and LVM setup. If you don’t have that, your can create a single LVM partition on your swap device. The reason for using LVM is so crypttab can easily identify the right location of the device used for the encrypted swap. You see, it’s going to overwrite that partition with the encrypted swap. If it picks your system/data partition by accident, then bye bye data. Thus, using something like /dev/sdXY is a bad choice because if the disk’s partitions should change, you’d loose a partition of data.
And using the uuid won’t work, because it will change on each boot of the system.
So, in this example we will create an encrypted swap on our LVM /dev/mapper/my_vgXY-swap, and it will use a different key on each boot.
First, comment out your current swap entry(s) in /etc/fstab.
We don’t need to create the random device, nor the swap. Crypttab will take care of that. You’ll want to fill the partition up with random data to hide how full/empty it is:
Warning
This will permanently erase everything on the selected device!
dd if=/dev/urandom of=/dev/mapper/my_vgXY-swap bs=10M
Once that’s done, put this in your /etc/crypttab file:
cryptswap /dev/mapper/my_vgXY-swap /dev/urandom swap
And then all we have to do is tell fstab to load it but putting this into /etc/fstab:
/dev/mapper/cryptswap none swap defaults 0 0
And we’re done. Reboot, and you will now have an encrypted swap.
Random key but as a swapfile
If you’d like to use the random key, but don’t have a LVM, then you can use a swapfile.
We’ll use the example swapfile of /swapfile42.
Warning
This will permanently erase the file /swapfile42! (If it exists)
First, create the file. In the below example, it will create a 1GB (1024MB) swap file. Adjust as desired.
dd if=/dev/urandom of=/swapfile42 bs=1M count=1024 status=progress
Check that it was created correctly.
ls -lh /swapfile42
Now add this to /etc/crypttab
cryptswap42 /swapfile42 /dev/urandom swap,cipher=twofish-xts-plain64,size=256,hash=sha256
You can use aes-xts-plain64 instead of twofish, if you prefer.
Finally, add it to /etc/fstab
/dev/mapper/cryptswap42 none swap defaults 0 0
Conclusion
With that, you now have an encrypted swap with either your own key or a randomly generated one.