cryptoswap 0.0.3 review

by on

The cryptoswap package supports building an encrypted swap partition when a system boots

License: GPL (GNU General Public License)
File size: 205K
Developer: Mike Petullo
0 stars award from

The cryptoswap package supports building an encrypted swap partition when a system boots. This must be necessary on systems that use encrypted filesystems because plaintext secrets may be written to disk when memory is swapped to disk. should be installed in /etc/init.d. During system boot, should execute right before When shutting down, cryptoswap should execute after sysklogd.

This package also includes an initialization script for building loopback encrypted /tmp. This may be necessary if a system contains encrypted filesystems but / is not encrypted. A link from directories like /var/tmp to /tmp may be appropriate. There are a few other alternatives for systems such as these:

1. Tmpfs is a Linux kernel feature that allows /tmp to exist in memory. This is a good solution for systems with a lot of memory and/or (encrypted) swap.
2. If you have a system that uses encrypted home directories, per-user temporary directories inside $HOME could be used. This would ensure that user's data is protected but would require that all applications use $HOME/tmp instead of /tmp.

Finally, the project may be used to create an encrypted root filesystem. Doing so requires two special partitions. First, create a small partition to hold your kernel and initrd image, /dev/hdaX. Second create a large partition to contain the root of your filesystem, /dev/hdaY.

Next configure and install an initrd-based boot system:

1. Ensure romfs is compiled in your kernel (not a module).
2. Create a kernel-supported filesystem on /dev/hdaX and copy your kernel to /vmlinux.
3. Download busybox and extract it as initrd/busybox.
4. Update initrd/src/etc/modules.initrd to include any modules needed to boot.
5. Build cryptoswap's initrd image (cd initrd && make initrd) and copy it to the filesystem on /dev/hdaX at /initrd.img.gz.
6. Make sure you use literal = "root=/dev/ram0 init=/linuxrc rw" or LILO equivalent.

Finally, create a proper encrypted filesystem on /dev/hdaY:

1. Randomize the partition: dd if=/dev/urandom of=/dev/hdaY.
2. Set up a loopback device: openssl enc -d -aes-256-ecb -in initrd/src/etc/efsk | losetup -p0 -e aes /dev/loop0 /dev/hdaY.
3. Create the root filesystem: mkfs.ext2 /dev/loop0.
4. Mount your new root filesystem: mount /dev/loop0 .
5. Populate your new root filesystem.

What's New in This Release:
Added initrd build environment.
Documentation update.

cryptoswap 0.0.3 keywords