You are not logged in.

#1 2020-01-11 17:07:36

coolgoose54
Member
Registered: 2015-12-09
Posts: 13

[SOLVED] Encrypted swap and hibernate

I have been thinking of encrypting my swap and read about issues with Hibernate/Suspend-to-disk. I would prefer unlocking swap with no manual intervention because more often than not I remotely reboot my machines. I have been wondering about an idea and was checking if anybody tried it or knows if this will work or not.

Can I define a hook for reboot and hibernate such that the hook will create the key file and make it available on an unencrypted disk (could be EFI partition) and use this keyfile to unlock swap partition on bootup ? The hook can rotate the key file to urandom data when rebooting but preserve the last key when hibernating.

I understand the risk that it is making the key available to anyone who has access to the disk but there is no other good way of unlocking swap with manual intervention other than storing keys on USB disks. This way keys will be rotated and swap will be cleaned up every time the system reboots. I sparingly use hibernate but you desperately need it when you do and in those situations it would allow resume-from-suspend.

Last edited by coolgoose54 (2020-01-15 23:16:51)

Offline

#2 2020-01-11 19:38:23

mxfm
Member
Registered: 2015-10-23
Posts: 141

Re: [SOLVED] Encrypted swap and hibernate

coolgoose54 wrote:

I have been thinking of encrypting my swap and read about issues with Hibernate/Suspend-to-disk. I would prefer unlocking swap with no manual intervention because more often than not I remotely reboot my machines. I have been wondering about an idea and was checking if anybody tried it or knows if this will work or not.

Can I define a hook for reboot and hibernate such that the hook will create the key file and make it available on an unencrypted disk (could be EFI partition) and use this keyfile to unlock swap partition on bootup ? The hook can rotate the key file to urandom data when rebooting but preserve the last key when hibernating.

I understand the risk that it is making the key available to anyone who has access to the disk but there is no other good way of unlocking swap with manual intervention other than storing keys on USB disks. This way keys will be rotated and swap will be cleaned up every time the system reboots. I sparingly use hibernate but you desperately need it when you do and in those situations it would allow resume-from-suspend.

1. I cannot think of any other option except for keyfile (for the stated purpose - reboot without manual intervention).

2. From 1 it follows that keyfile should be accessible during boot. You can define any hook which archieves your purpose. The drawback of keyfile is that it remains unencrypted, so anyone with physical access can get the password. Theoretically, if you reboot machine remotely, you can try to upload keyfile before reboot and then delete it.

Offline

#3 2020-01-12 14:46:47

coolgoose54
Member
Registered: 2015-12-09
Posts: 13

Re: [SOLVED] Encrypted swap and hibernate

mxfm wrote:

Theoretically, if you reboot machine remotely, you can try to upload keyfile before reboot and then delete it.

I would be little more comfortable dropping a rotating keyfile in an unencrypted accessible location rather than remotely transferring a static keyfile. But your point taken, that one could drop a rotating keyfile remotely.

Offline

Board footer

Powered by FluxBB