Brad Ideas - Swap should be encrypted by default - Comments

Wipe

brad — Tue, 01 Dec 2009 22:59:36 -0800

I’m not sure what you mean here. If the swap is encrypted, there is no need to wipe it. If the swap is not encrypted, there is no key (unless you mean other keys to other disk encryption systems) that would be in the swap. If the swap is not encrypted however, any block could contain a useful page of memory, including pages with passwords not just to encrypted disks and accounts but also web sites, browser password vaults etc. You thus must wipe it all.

The ZUI here is that you have no need to know or deal with the key encrypting your swap. It is OK to generate it randomly each time and just use it. The user does not even have to know it exists. The ZUI means there is no reason not to do it by default, so everybody is protected.

If you are going to the trouble of installing another disk encryption scheme — which very few people do — you can have it manage your swap and hibernation encryption so you don’t have extra passwords to manage. Or you can leave the swap encryption with its own key — but you must make sure that key is stored, but not in the clear, during hibernation. (Most hibernation systems make use of the swap or leave swapped-out-pages on disk where they are.)

Fast wiping the swap is easy

Moz — Tue, 01 Dec 2009 21:00:24 -0800

Just corrupting/overwriting the first few MB plus the key will make it very hard to decrypt. You're dealing with random-ish snippets written to disk in random-ish order, only now you don't have the index or the decryption key. So quite tricky to decrypt and very quick to perform, which is about all you can ask for from an "instant wipe". It's only a 20% solution but I think it'll cover 80% of the situations.

I'm not into ZUI, but I prefer one or two solid systems over dozens. Two long, ugly passphrases should be enough. I stack a password manager on top of disk encryption for the sensitive stuff that I don't want to have always available, and hopefully one day TrueCrypt will support recovery on my laptop (which has either a hard disk or a DVD drive, but never both coz they live in the same bay - the original hard disk died some time after they stopped making small enough hard disks for the controller to cope with, but the "second disk" bay takes SATA disks of arbitrary size and I can boot off it). TrueCrypt recovery CD doesn't work if hacked onto a bootable USB key. For me anyway. Which is another point - not needing ZUI doesn't mean "will accept any amount of hassle"...

CPU cost of swap

brad — Mon, 30 Nov 2009 01:46:49 -0800

I agree that it is rare that this would be an issue, since of course when swapping you are rarely CPU bound as you say.

However, wiping the swap on shutdown is not a suitable answer.

You might well have gigs of swap. I have 8b of swap and have seen gigs used. This can take quite a long time to wipe
Even wiping a disk does not mean the data can’t be recovered, though that requires a more advanced threat
This doesn’t help you if you want to suddenly decide to power off your computer because somebody wants to take it.

Of course, sudden power-off of laptops is not usually easy (it means hold down power button for about 5 seconds or yank the battery) but it’s often very easy for desktops.

As noted in the future I expect computers to come with a function to wipe the special key-holding memory during emergency shutdowns. A computer actually can do vast numbers of instructions between the time it detects power failure and the power is actually truly gone, due to the capacitors. Of course if doing a shutdown via a button you have even more time.

My main point is, you can do encrypted swap with ZUI, so it should be done. ZUI does not mean there is no UI for complex stuff, it just means that something useful occurs with no UI.

This plan sounds ok, but I'd

drewp — Mon, 30 Nov 2009 00:59:00 -0800

This plan sounds ok, but I'd go for the cheaper-to-implement 'shutdown and wipe the swap disk' option. People would pick that slower shutdown mode if they think their laptops will be at risk.

As to the CPU cost of encrypted swap, it sounds like a very rare use case where all CPUs are busy AND you're swapping and you could notice an additional slowdown. Surely in normal cases, the disk io totally dominates the runtime. Maybe e-swap uses a noticeable amount of additional battery life, though.

Swap should be encrypted by default

brad — Sun, 29 Nov 2009 22:36:50 -0800

There are a variety of tools that offer encrypted filesystems for the various OSs. None of them are as easy to use as we would like, and none have reached the goal of “Zero User Interface” (ZUI) that is the only thing which causes successful deployment of encryption (ie. Skype, SSH and SSL.)

Many of these tools have a risk of failure if you don’t also encrypt your swap/paging space, because your swap file will contain fragments of memory, including encrypted files and even in some cases decryption keys. There is a lot of other confidential data which can end up in swap — web banking passwords and just about anything else.

It’s not too hard to encrypt your swap on linux, and the ecryptfs tools package includes a tool to set up encrypted swap (which is not done with ecryptfs, but rather with dm-crypt, the block-device encryptor, but it sets it up for you.)

However, I would propose that swap be encrypted by default, even if the user does nothing. When you boot, the system would generate a random key for that session, and use it to encrypt all writes and reads to the swap space. That key of course would never be swapped out, and furthermore, the kernel could even try to move it around in memory to avoid the attacks the EFF recently demonstrated where the RAM of a computer that’s been turned off for a short time is still frequently readable. (In the future, computers will probably come with special small blocks of RAM in which to store keys which are guaranteed — as much as that’s possible — to be wiped in a power failure, and also hard to access.)

The automatic encryption of swap does bring up a couple of issues. First of all, it’s not secure with hibernation, where your computer is suspended to disk. Indeed, to make hibernation work, you would have to save the key at the start of the hibernation file. Hibernation would thus eliminate all security on the data — but this is no worse than the situation today, where all swap is insecure. And many people never hibernate.