dm-crypt/スワップの暗号化
Dm-crypt に戻る。
必要に応じて、以下で説明する様々な方法を使ってスワップパーティションを暗号化することができます。再起動時にスワップパーティションを (新しい暗号を使って) 初期化することで、過去にスワップアウトされた重要なファイルの断片がそのまま残ってしまうのを防ぐことができ、強固なデータの保護が可能になります。ただし、スワップを暗号化すると基本的にハイバネートが使えなくなってしまいます。
目次
suspend-to-disk を使用しない
suspend-to-disk が必要ない場合、起動時にランダムなキーでスワップパーティションを暗号化することができます。起動するたびにパーティションの中身は破壊されます。plain dm-crypt を使って mkswap
を呼び出すように /etc/crypttab
を設定します: point cryptsetup FAQ 2.3 と man (5) crypttab
の "swap" オプションを見て下さい。
デフォルトの /etc/crypttab
に初めからスワップの暗号化についての行が含まれているので、アンコメントして <device>
パラメータをあなたの使用しているスワップデバイスの名前に変更することで使えます。
/etc/crypttab
# <name> <device> <password> <options> # swap /dev/sdaX /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
Where:
- <name>
- Represents the name to state in the first column of
/etc/fstab
(as "/dev/mapper/<name>
"). - <device>
- Should be the persistent device name for the swap device.
- <password>
/dev/urandom
sets the dm-crypt master key to be randomized on every volume recreation.- <options>
- The
swap
option runs mkswap after cryptographic's are setup.
For example, by-id
persistent device naming is first identified for the chosen device:
# ls -l /dev/disk/*/* | grep sdaX
lrwxrwxrwx 1 root root 10 Oct 12 16:54 /dev/disk/by-id/ata-WDC_WD2500BEVT-22ZCT0_WD-WXE908VF0470-partX -> ../../sdaX lrwxrwxrwx 1 root root 10 Oct 12 16:54 /dev/disk/by-id/wwn-0x60015ee0000b237f-partX -> ../../sdaX
and then used as a persistent reference for the /dev/sdaX
example partition (if two results are returned as above, choose either one of them):
/etc/crypttab
# <name> <device> <password> <options> swap /dev/disk/by-id/ata-WDC_WD2500BEVT-22ZCT0_WD-WXE908VF0470-partX /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
This will map /dev/sdaX
to /dev/mapper/swap
as a swap partition that can be added in /etc/fstab
like a normal swap. If you had a non-encrypted swap partition before, do not forget to disable it - or re-use its fstab entry by changing the device to /dev/mapper/swap
.
After a reboot to activate the encrypted swap, you will note that running swapon -s
shows an arbitrary device mapper entry (e.g. /dev/dm-1
) for it, while the lsblk
command shows crypt in the FSTYPE
column. Due to fresh encryption each boot, the UUID for /dev/mapper/swap
will change every time.
If the partition chosen for swap was previously a LUKS partition, crypttab will not overwrite the partition to create a swap partition. This is a safety measure to prevent data loss from accidental mis-identification of the swap partition in crypttab. In order to use such a partition the LUKS header must be overwritten once.
suspend-to-disk を使用する
The following three methods are alternatives for setting up an encrypted swap for resume-from-disk. If you apply any of them, be aware that critical data swapped out by the system may potentially stay in the swap over a long period (i.e. until it is overwritten). To reduce this risk consider setting up a system job which re-encrypts swap, e.g. each time the system is going into a regular shut-down, along with the method of your choice.
LVM on LUKS
suspend-to-disk のサポートを暗号化されたスワップで実現するシンプルな方法は暗号化レイヤーで LVM を使うことです。暗号化されたパーティションにいくらでもファイルシステムを含めることができるようになります (root, swap, home, ...)。Dm-crypt/システム全体の暗号化#LVM on LUKS の手順に従ってから必要なカーネルパラメータを設定してください。
Assuming you have setup LVM on LUKS with a swap logical volume (at /dev/MyStorage/swap
for example), all you need to do is add the resume mkinitcpio hook, and add the resume=/dev/MyStorage/swap
kernel parameter to your boot loader. For GRUB, this can be done by appending it to the GRUB_CMDLINE_LINUX_DEFAULT
variable in /etc/default/grub
.
/etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="... resume=/dev/MyStorage/swap"
then run grub-mkconfig -o /boot/grub/grub.cfg
to update GRUB's configuration file.
To add the mkinitcpio hook, edit the following line in mkinitcpio.conf
/etc/mkinitcpio.conf
HOOKS="... encrypt lvm2 resume ... filesystems ..."
then run mkinitcpio -p linux
to update the initramfs image.
mkinitcpio フック
To be able to resume after suspending the computer to disk (hibernate), it is required to keep the swap filesystem intact. Therefore, it is required to have a pre-existent LUKS swap partition, which can be stored on the disk or input manually at startup. Because the resume takes place before /etc/crypttab
can be used, it is required to create a hook in /etc/mkinitcpio.conf
to open the swap LUKS device before resuming.
If you want to use a partition which is currently used by the system, you have to disable it first:
# swapoff /dev/<device>
Also make sure you remove any line in /etc/crypttab
pointing to this device.
The following setup has the disadvantage of having to insert an additional passphrase for the swap partition manually on every boot.
To format the encrypted container for the swap partition, create a keyslot for a user-memorizable passphrase.
Open the partition in /dev/mapper
:
# cryptsetup open --type luks /dev/<device> swapDevice
Create a swap filesystem inside the mapped partition:
# mkswap /dev/mapper/swapDevice
起動時にスワップをオープンにするフックを作成する必要があります。mkinitcpio-openswapAUR をインストールして設定するか、以下の手順に従って下さい。open コマンドを記述したフックファイルを作成:
/lib/initcpio/hooks/openswap
run_hook () { cryptsetup open --type luks /dev/<device> swapDevice }
for opening the swap device by typing your password or
/lib/initcpio/hooks/openswap
run_hook () { mkdir crypto_key_device mount /dev/mapper/<root-device> crypto_key_device cryptsetup open --type luks --key-file crypto_key_device/<path-to-the-key> /dev/<device> swapDevice umount crypto_key_device }
for opening the swap device by loading a keyfile from a crypted root device
Then create and edit the hook setup file:
/lib/initcpio/install/openswap
build () { add_runscript } help () { cat<<HELPEOF This opens the swap encrypted partition /dev/<device> in /dev/mapper/swapDevice HELPEOF }
Add the hook openswap
in the HOOKS
array in /etc/mkinitcpio.conf
, before filesystem
but after encrypt
. Do not forget to add the resume
hook after openswap
.
HOOKS="... encrypt openswap resume filesystems ..."
Regenerate the boot image:
# mkinitcpio -p linux
Add the mapped partition to /etc/fstab
by adding the following line:
/dev/mapper/swapDevice swap swap defaults 0 0
Set up your system to resume from /dev/mapper/swapDevice
. For example, if you use GRUB with kernel hibernation support, add resume=/dev/mapper/swapDevice
to the kernel line in /boot/grub/grub.cfg
. A line with encrypted root and swap partitions can look like this:
kernel /vmlinuz-linux cryptdevice=/dev/sda2:rootDevice root=/dev/mapper/rootDevice resume=/dev/mapper/swapDevice ro
To make the parameter persistent on kernel updates, add it to /etc/default/grub
.
At boot time, the openswap
hook will open the swap partition so the kernel resume may use it. If you use special hooks for resuming from hibernation, make sure they are placed after openswap
in the HOOKS
array. Please note that because of initrd opening swap, there is no entry for swapDevice in /etc/crypttab
needed in this case.
スワップファイルを使う
A swap file can be used to reserve swap-space within an existing partition and may also be setup inside an encrypted blockdevice's partition. When resuming from a swapfile the resume
hook must be supplied with the passphrase to unlock the device where the swap file is located.
To create it, first choose a mapped partition (e.g. /dev/mapper/rootDevice
) whose mounted filesystem (e.g. /
) contains enough free space to create a swapfile with the desired size.
Now create the swap file (e.g. /swapfile
) inside the mounted filesystem of your chosen mapped partition. Be sure to activate it with swapon
and also add it to your /etc/fstab
file afterward. Note that the swapfile's previous contents remain transparent over reboots.
Set up your system to resume from your chosen mapped partition. For example, if you use GRUB with kernel hibernation support, add resume=
your chosen mapped partition and resume_offset=
see calculation command below to the kernel line in /boot/grub/grub.cfg
. A line with encrypted root partition can look like this:
kernel /vmlinuz-linux cryptdevice=/dev/sda2:rootDevice root=/dev/mapper/rootDevice resume=/dev/mapper/rootDevice resume_offset=123456789 ro
The resume_offset
of the swap-file points to the start (extent zero) of the file and can be identified like this:
# filefrag -v /swapfile | awk '{if($1=="0:"){print $4}}'
resume
フックを etc/mkinitcpio.conf
ファイルに追加してイメージを再生成してください:
HOOKS="... encrypt resume ... filesystems ..."
If you use a USB keyboard to enter your decryption password, then the keyboard
module must appear in front of the encrypt
hook, as shown below. Otherwise, you will not be able to boot your computer because you could not enter your decryption password to decrypt your Linux root partition! (If you still have this problem after adding keyboard
, try usbinput
, though this is deprecated.)
HOOKS="... keyboard encrypt ..."