Encrtyped /tmp & swap at boot not using luks

Support for security such as Firewalls and securing linux
tsol
Posts: 9
Joined: 2017/04/19 20:33:01

Encrtyped /tmp & swap at boot not using luks

Postby tsol » 2017/07/22 02:27:27

I'm running into some issues trying to setup encrypted /tmp and swap partitions without using luks. Since these servers need to be reachable remotely we can't have an on boot password so I was using the /dev/urandom to set the key each time it's rebooted. In addition, I would also like to use tmpfs for one of the partitions depending on the situation. Here are my senario's and what I think is the answer based on what I could find. I haven't been able to find any information on what the available ciphers and hash are since cryptsetup benchmark isn't supported in version 1.2

#1 /tmp is physical partition & encrypted while swap is unencryped in memory if needed
/dev/mapper/OS-temp is a 10G LVM partition that was created at install

Code: Select all

#/etc/crypptab
#Encrypted /tmp
enc_temp        /dev/mapper/OS-temp     /dev/urandom    cipher=aes-xts-plain64,size=512,hash=sha512,tmp

#/etc/fstab
/dev/mapper/enc_temp    /tmp                    none     nosuid,noexec,nodev,rw        0 0
tmpfs                   none                    swap     defaults,size=4g              0 0


#2 swap and /tmp are in memory and both are encrypted

Code: Select all

# /etc/crypptab
enc_temp      tmpfs   /dev/urandom   tmp,cipher=aes-xts-plain64,size=512,hash=sha512
enc_swap      tmpfs   /dev/urandom   swap,cipher=aes-xts-plain64,size=512,hash=sha512

#/etc/fstab
/dev/mapper/enc_temp   /tmp      none      defaults,nosuid,noexec,nodev,rw,size=6g   0 0
/dev/mapper/enc_swap   none      swap      defaults,size=4g                          0 0


#3 /tmp and swap are both physical partition that are encrypted with swap being mounted from /temp partition if needed
/dev/mapper/OS-encrypted is a shared encrypted LVM

Code: Select all

# /etc/crypttab
enc_stuff   /dev/mapper/encrypted/stuff      /dev/urandom   cipher=aes-xts-plain64,size=512,hash=sha512
enc_ts   /dev/mapper/encrypted/tmp_swap   /dev/urandom   tmp,cipher=aes-xts-plain64,size=512,hash=sha512


# /etc/fstab
/dev/mapper/enc_stuff   xfs      /stuff      defaults   1 2
/dev/mapper/end_ts      /tmp      none         defaults,nosuid,noexec,nodev,rw   0 0
/dev/mapper/end_ts      none      swap         defaults,size=4g   0 0


Is that all I need to do? I'm guessing the cipers, size,and hash are ok as I was able to use them when I tried manually from the command line.

User avatar
TrevorH
Forum Moderator
Posts: 20282
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Encrtyped /tmp & swap at boot not using luks

Postby TrevorH » 2017/07/22 10:09:14

You know it's a complete waste of time having swap in RAM? You're better off leaving the RAM for normal use and doing without swap altogether.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

tsol
Posts: 9
Joined: 2017/04/19 20:33:01

Re: Encrtyped /tmp & swap at boot not using luks

Postby tsol » 2017/07/24 21:46:07

I have swappiness turned down to 1 so it shouldn't activate but I like to prepare for a just in case senario. The swap settings are just for if it's needed and mainly just trying to get /tmp encrypted both when it's in ram or when it's on the disk.

Whoever
Posts: 932
Joined: 2013/09/06 03:12:10

Re: Encrtyped /tmp & swap at boot not using luks

Postby Whoever » 2017/07/25 05:00:35

tsol wrote:I have swappiness turned down to 1 so it shouldn't activate but I like to prepare for a just in case senario. The swap settings are just for if it's needed and mainly just trying to get /tmp encrypted both when it's in ram or when it's on the disk.


Go back and read what Trevor wrote. The value of swappiness doesn't change how informative his comment is.

tsol
Posts: 9
Joined: 2017/04/19 20:33:01

Re: Encrtyped /tmp & swap at boot not using luks

Postby tsol » 2017/07/25 18:32:07

Turning swappiness down to 1 seems to have disabled swap for all purposes as far as I can see when I do df -h. Like IPv6, what I've seen said disabling swap completely can cause issues and the recommended practice to set the swappiness to one. What is the benefit of completely disabling swap in the system over enabling it at 1%? They way I see it is that if swap gets enabled something is wrong and you can look into it without crashing yoru system.

The only issues I saw were tmpfs partitions which I dropped down to 4 GB since I have 32 GB and 64 GB servers. On the 32 GB servers /tmp can reside in memory and be encrypted when the 64 GB servers need all the ram so /tmp needs to be on disk and encrypted.

Based off of what I've found searching the this should work in theory but it doesn't seem to be working:
#/etc/crypptab
# Encrypted and local /tmp
enc_temp /dev/mapper/OS-temp /dev/urandom cipher=aes-xts-plain64,size=512,hash=sha512,tmp

# Encrypted and tmpfs /tmp
enc_temp /dev/urandom tmp,cipher=aes-xts-plain64,size=512,hash=sha512

# Encrypted partition with /tmp mounted from it
enc_stuff /dev/mapper/encrypted /dev/urandom cipher=aes-xts-plain64,size=512,hash=sha512
#enc_ts /dev/mapper/encrypted/tmp /dev/urandom tmp,cipher=aes-xts-plain64,size=512,hash=sha512


#/etc/fstab
/dev/mapper/enc_temp /tmp none nosuid,noexec,nodev,rw 0 0

# Encrypted and tmpfs /tmp
/dev/mapper/enc_temp /tmp tmpfs defaults,nosuid,noexec,nodev,rw,size=4g 0 0

# Encrypted partition with /tmp mounted from it
/dev/mapper/enc_stuff /stuff xfs defaults 1 2
/dev/mapper/enc_stuff/end_ts /tmp none defaults,nosuid,noexec,nodev,rw 0 0


What am I doing wrong?

User avatar
TrevorH
Forum Moderator
Posts: 20282
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Encrtyped /tmp & swap at boot not using luks

Postby TrevorH » 2017/07/25 19:16:23

The point about swap is that you say you want to put it in RAM. RAM is better used as RAM than reserving a chunk of it for swap. The swap will only be used when it's run out of RAM and the best way to not use swap is to add more RAM. So you're taking RAM away from the system so you can use it as swap but then what it really wants is more RAM so it won't swap... pointless. Then the next thing is that tmpfs is RAM backed but also swap backed so you're now putting swap into RAM that's swap backed... I can just see Ouroborus disappearing up its own behind.

vm.swappiness=1 is a special case BTW : "Kernel version 3.5 and over, as well as Red Hat kernel version 2.6.32-303 and over: Minimum amount of swapping without disabling it entirely."
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

tsol
Posts: 9
Joined: 2017/04/19 20:33:01

Re: Encrtyped /tmp & swap at boot not using luks

Postby tsol » 2017/07/25 20:28:42

so its better not to put /tmp in tmpfs and just put it in the hard drive? In that case is it better to be in it's own encrypted partition /tmp or in an already encrypted partition with /tmp mounted from it?

tsol
Posts: 9
Joined: 2017/04/19 20:33:01

Re: Encrtyped /tmp & swap at boot not using luks

Postby tsol » 2017/07/26 02:02:54

still don't seem to have found a working encrypted /tmp solution as right now it just sits on the CentIS 6.9 screen with the full whitebar.

Whoever
Posts: 932
Joined: 2013/09/06 03:12:10

Re: Encrtyped /tmp & swap at boot not using luks

Postby Whoever » 2017/07/26 06:16:55

Why do you want to encrypt /tmp? If it is held in RAM, it won't survive a power-down.

tsol
Posts: 9
Joined: 2017/04/19 20:33:01

Re: Encrtyped /tmp & swap at boot not using luks

Postby tsol » 2017/08/02 21:40:56

I have 2 situations that I'm testing out

1) Encrypted /tmp that's in memory

2) Encrypted /tmp that's on the hard disk

Encrypting /tmp in memory was something I saw when reading about best practices for servers that have a long uptime (don't get rebooted often). I am currently testing out encrypting /tmp on the disk and it's not booting, just hanging on a completed boot bar.

Code: Select all

#/etc/crypptab
enc_temp        /dev/mapper/OS-temp     /dev/urandom    cipher=aes-xts-plain64,size=512,hash=sha512,tmp

#/etc/fstab
/dev/mapper/enc_temp    /tmp                    ext4     defaults,nosuid,noexec,nodev,rw        0 0


Originally it was failing stating none was an unknown filetype and so I changed it to ext4.


Return to “CentOS 6 - Security Support”

Who is online

Users browsing this forum: No registered users and 2 guests