Encrtyped /tmp & swap at boot not using luks

Support for security such as Firewalls and securing linux
tsol
Posts: 9
Joined: 2017/04/19 20:33:01

Encrtyped /tmp & swap at boot not using luks

Post by tsol » 2017/07/22 02:27:27

I'm running into some issues trying to setup encrypted /tmp and swap partitions without using luks. Since these servers need to be reachable remotely we can't have an on boot password so I was using the /dev/urandom to set the key each time it's rebooted. In addition, I would also like to use tmpfs for one of the partitions depending on the situation. Here are my senario's and what I think is the answer based on what I could find. I haven't been able to find any information on what the available ciphers and hash are since cryptsetup benchmark isn't supported in version 1.2

#1 /tmp is physical partition & encrypted while swap is unencryped in memory if needed
/dev/mapper/OS-temp is a 10G LVM partition that was created at install

Code: Select all

#/etc/crypptab
#Encrypted /tmp
enc_temp        /dev/mapper/OS-temp     /dev/urandom    cipher=aes-xts-plain64,size=512,hash=sha512,tmp

#/etc/fstab
/dev/mapper/enc_temp    /tmp                    none     nosuid,noexec,nodev,rw        0 0
tmpfs                   none                    swap     defaults,size=4g        		0 0
#2 swap and /tmp are in memory and both are encrypted

Code: Select all

# /etc/crypptab
enc_temp		tmpfs	/dev/urandom	tmp,cipher=aes-xts-plain64,size=512,hash=sha512
enc_swap		tmpfs	/dev/urandom	swap,cipher=aes-xts-plain64,size=512,hash=sha512

#/etc/fstab
/dev/mapper/enc_temp	/tmp		none		defaults,nosuid,noexec,nodev,rw,size=6g	0 0
/dev/mapper/enc_swap	none		swap		defaults,size=4g								  0 0
#3 /tmp and swap are both physical partition that are encrypted with swap being mounted from /temp partition if needed
/dev/mapper/OS-encrypted is a shared encrypted LVM

Code: Select all

# /etc/crypttab
enc_stuff	/dev/mapper/encrypted/stuff		/dev/urandom	cipher=aes-xts-plain64,size=512,hash=sha512
enc_ts	/dev/mapper/encrypted/tmp_swap	/dev/urandom	tmp,cipher=aes-xts-plain64,size=512,hash=sha512


# /etc/fstab
/dev/mapper/enc_stuff	xfs		/stuff		defaults	1 2
/dev/mapper/end_ts		/tmp		none			defaults,nosuid,noexec,nodev,rw	0 0
/dev/mapper/end_ts		none		swap			defaults,size=4g	0 0
Is that all I need to do? I'm guessing the cipers, size,and hash are ok as I was able to use them when I tried manually from the command line.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Encrtyped /tmp & swap at boot not using luks

Post by TrevorH » 2017/07/22 10:09:14

You know it's a complete waste of time having swap in RAM? You're better off leaving the RAM for normal use and doing without swap altogether.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

tsol
Posts: 9
Joined: 2017/04/19 20:33:01

Re: Encrtyped /tmp & swap at boot not using luks

Post by tsol » 2017/07/24 21:46:07

I have swappiness turned down to 1 so it shouldn't activate but I like to prepare for a just in case senario. The swap settings are just for if it's needed and mainly just trying to get /tmp encrypted both when it's in ram or when it's on the disk.

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: Encrtyped /tmp & swap at boot not using luks

Post by Whoever » 2017/07/25 05:00:35

tsol wrote:I have swappiness turned down to 1 so it shouldn't activate but I like to prepare for a just in case senario. The swap settings are just for if it's needed and mainly just trying to get /tmp encrypted both when it's in ram or when it's on the disk.
Go back and read what Trevor wrote. The value of swappiness doesn't change how informative his comment is.

tsol
Posts: 9
Joined: 2017/04/19 20:33:01

Re: Encrtyped /tmp & swap at boot not using luks

Post by tsol » 2017/07/25 18:32:07

Turning swappiness down to 1 seems to have disabled swap for all purposes as far as I can see when I do df -h. Like IPv6, what I've seen said disabling swap completely can cause issues and the recommended practice to set the swappiness to one. What is the benefit of completely disabling swap in the system over enabling it at 1%? They way I see it is that if swap gets enabled something is wrong and you can look into it without crashing yoru system.

The only issues I saw were tmpfs partitions which I dropped down to 4 GB since I have 32 GB and 64 GB servers. On the 32 GB servers /tmp can reside in memory and be encrypted when the 64 GB servers need all the ram so /tmp needs to be on disk and encrypted.

Based off of what I've found searching the this should work in theory but it doesn't seem to be working:
#/etc/crypptab
# Encrypted and local /tmp
enc_temp /dev/mapper/OS-temp /dev/urandom cipher=aes-xts-plain64,size=512,hash=sha512,tmp

# Encrypted and tmpfs /tmp
enc_temp /dev/urandom tmp,cipher=aes-xts-plain64,size=512,hash=sha512

# Encrypted partition with /tmp mounted from it
enc_stuff /dev/mapper/encrypted /dev/urandom cipher=aes-xts-plain64,size=512,hash=sha512
#enc_ts /dev/mapper/encrypted/tmp /dev/urandom tmp,cipher=aes-xts-plain64,size=512,hash=sha512


#/etc/fstab
/dev/mapper/enc_temp /tmp none nosuid,noexec,nodev,rw 0 0

# Encrypted and tmpfs /tmp
/dev/mapper/enc_temp /tmp tmpfs defaults,nosuid,noexec,nodev,rw,size=4g 0 0

# Encrypted partition with /tmp mounted from it
/dev/mapper/enc_stuff /stuff xfs defaults 1 2
/dev/mapper/enc_stuff/end_ts /tmp none defaults,nosuid,noexec,nodev,rw 0 0
What am I doing wrong?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Encrtyped /tmp & swap at boot not using luks

Post by TrevorH » 2017/07/25 19:16:23

The point about swap is that you say you want to put it in RAM. RAM is better used as RAM than reserving a chunk of it for swap. The swap will only be used when it's run out of RAM and the best way to not use swap is to add more RAM. So you're taking RAM away from the system so you can use it as swap but then what it really wants is more RAM so it won't swap... pointless. Then the next thing is that tmpfs is RAM backed but also swap backed so you're now putting swap into RAM that's swap backed... I can just see Ouroborus disappearing up its own behind.

vm.swappiness=1 is a special case BTW : "Kernel version 3.5 and over, as well as Red Hat kernel version 2.6.32-303 and over: Minimum amount of swapping without disabling it entirely."
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

tsol
Posts: 9
Joined: 2017/04/19 20:33:01

Re: Encrtyped /tmp & swap at boot not using luks

Post by tsol » 2017/07/25 20:28:42

so its better not to put /tmp in tmpfs and just put it in the hard drive? In that case is it better to be in it's own encrypted partition /tmp or in an already encrypted partition with /tmp mounted from it?

tsol
Posts: 9
Joined: 2017/04/19 20:33:01

Re: Encrtyped /tmp & swap at boot not using luks

Post by tsol » 2017/07/26 02:02:54

still don't seem to have found a working encrypted /tmp solution as right now it just sits on the CentIS 6.9 screen with the full whitebar.

Whoever
Posts: 1357
Joined: 2013/09/06 03:12:10

Re: Encrtyped /tmp & swap at boot not using luks

Post by Whoever » 2017/07/26 06:16:55

Why do you want to encrypt /tmp? If it is held in RAM, it won't survive a power-down.

tsol
Posts: 9
Joined: 2017/04/19 20:33:01

Re: Encrtyped /tmp & swap at boot not using luks

Post by tsol » 2017/08/02 21:40:56

I have 2 situations that I'm testing out

1) Encrypted /tmp that's in memory

2) Encrypted /tmp that's on the hard disk

Encrypting /tmp in memory was something I saw when reading about best practices for servers that have a long uptime (don't get rebooted often). I am currently testing out encrypting /tmp on the disk and it's not booting, just hanging on a completed boot bar.

Code: Select all

#/etc/crypptab
enc_temp        /dev/mapper/OS-temp     /dev/urandom    cipher=aes-xts-plain64,size=512,hash=sha512,tmp

#/etc/fstab
/dev/mapper/enc_temp    /tmp                    ext4     defaults,nosuid,noexec,nodev,rw        0 0
Originally it was failing stating none was an unknown filetype and so I changed it to ext4.

Post Reply