|
Description
Ubiquity should set up encrypted swap, unless told not to. Because encrypted swap doesn't require inputting a password every boot, and it increases security against forensic investigation.
Developer comments
This was discussed at UDS-Prague. The main issue with this is that it is difficult to resume after a hibernate.
Attachments
No attachments.
Duplicates
Comments
|
steve196 wrote on the 18 May 08 at 19:00
|
Few people fear forensic investigation, but the swap file has private data like credit card info etc. that could be picked up by thieves or trojan programs.
+1 for having the possibility in the installer.
I do not know, if it should be default.
|
|
Mishtal wrote on the 18 May 08 at 20:30
|
i doubt that many people would notice a performance drop, and most users would appreciate their information being protected without having to ask for it to be done.
+1
|
|
markoresko wrote on the 18 May 08 at 21:54
|
+1
Swap is also used during Hibernate so all data in memory
could be looked into if you loose your laptop etc.
|
|
Eldmannen wrote on the 18 May 08 at 23:07
| |
Great idea.
|
|
neon wrote on the 19 May 08 at 01:01
|
Ubuntu: Linux for Human Criminals.
[+1]
|
|
Eldmannen wrote on the 19 May 08 at 13:20
|
neon,
Not everyone who uses encryption is a criminal.
Only a minority of the users who use encryption are criminals.
* Maybe someone want hide his porno from his wife.
* Maybe someone lives in a country where he can be tortured and killed if have documents relating to democracy or freedom on his computer.
* Maybe someone works at a company and have customer information database.
|
|
Auzy wrote on the 19 May 08 at 13:38
|
By default though?? Thats kinda questionable.. -1..
My reasoning is that there should be an advanced mode (or advanced tab) during the installation where you set encryption options. Otherwise, its already been proven from "results" seen in some ideas here that people will purposely benchmark with default settings (which is valid for OS's because gamers shouldn't be expected to have to tweak things to speed up their computer).
I like the idea, but definately not by default. Because the computers which are worst affected by swap, will get an extra kick in the guts when you also start encrypting it.
We aren't openBSD. And its a bit counter-intuitive to enable stuff like this by default that decreases performance at the worst time, which doesn't have much security gain, when nobody wants to also sandbox firefox, or have a SElinux kernel available.
Slowing Linux down by default, as Vista has shown, is a good way to also scare off gamers.
I'll happily vote for an idea, which wants to offer this during installation AS AN OPTION! But by default = -1 for me.
Although, it would make sense to suggest no swap file during install for seriously paranoid users too. As encryption can still be cracked anyway..
|
|
Lukehasnoname wrote on the 19 May 08 at 15:04
|
Does having an encrypted swap space require substantial overhead? Does it cause any extra trouble for the end user?
This should at LEAST be an option at install-time. Default? Depends on the cirumstances above.
|
|
Lukehasnoname wrote on the 19 May 08 at 15:05
| |
EDIT: I guess it is an install time option? Using LVM to create a swap space, is that possible (without using a pw every time on boot)
|
|
thebigbluecan wrote on the 19 May 08 at 15:08
|
+1
Personal Security and Freedom to do so!
|
|
neon wrote on the 19 May 08 at 22:32
|
Eldmannen:
I was kidding. xD I just found it funny that he specified hiding it for forensic evidence. However, you are right, I did not think about those countries that do that type of stuff. :/ However, technically by their government they would be a criminal.
|
|
zooounds wrote on the 20 May 08 at 18:23
|
Are you supposed to input a password every boot (before the swap can be used)?
|
|
steve196 wrote on the 20 May 08 at 20:11
|
@zooounds: no
A random number is used as the key for swap. As soon as the key is forgotten (the computer is turned off) the swap data becomes worthless garbage
|
|
fusiondog wrote on the 22 May 08 at 16:44
|
As default no, visible option yes.
If your in swap space at all your already running 1000 times slower than RAM, compound that with encryption on every read write and the factor may be more like 10,000 or more.
On a system where security concerns override performance concerns yes, however for most users, if someone has access to your swap space your already p0wnd beyond need for much further concern.
|
|
jonaskoelker wrote on the 4 Jun 08 at 04:11
|
Regarding the speed concerns: if you make the kernel encrypt some pages in advance, it can swap those out while encrypting the next. That alleviates write slowdowns. If you can predict reads, you can handle those as well in a similar way.
> if someone has access to your swap space your already p0wnd beyond need for much further concern.
Suppose you have a private key stored on disk, encrypted with a password-derived key (for a symmetric cipher). You then load the private key into ram, decrypt it, and whoops--it gets swapped out.
If you have swap encryption, your private key is not compromised.
Regarding resuming from hibernation: upon hibernation you ask the user for a password from which you derive a key which you use to encrypt the hibernated data (decrypt some with the old key if need be). When the user resumes, you ask for that key and use it to bring data back into memory. Any data that should be left on the swap partition gets decrypted and re-encrypted with the key for the current session.
Or you could ask the user...
|
|
bigfox wrote on the 16 Jul 08 at 20:19
|
The Alternate install CD for Ubuntu already allows you to setup full drive encryption (Encrypted LVM). This includes encryption for the swap as it is inside the encrypted LVM.
You do have to enter a password at boot, however, there is no way around this if you want the encryption to be of any use.
Encrypted swap is useless by itself because if your whole hard drive is not encrypted, then the attacker would just pull your unencrypted data off the drive and ignore the swap.
Resume from hibernation can still work once the LVM is decrypted at boot, then the swap can be read as it normally would be.
|
Post your comment
|
