[opensuse-security] LUKS encrypted swap
Hello, I wonder how I should implement LUKS encrypted swap with random encryption at every boot. (Yes, I know that I shouldn't use suspend on such a system ;-) I tried the example from man crypttab: cr_md0 /dev/md0 /dev/random swap Result: Swap not active - probably because /dev/random can only provide some bytes at boot time. Testing with "boot.crypto start /dev/md0", it was hanging (probably again waiting for more random data) until I Ctrl-C'd it. I then tested with cr_md0 /dev/md0 /dev/urandom swap This seems to work (tested with "boot.crypto start /dev/md0"), but the manpage contradicts itsself: · The third column key file specifies the file to use for decrypting the encrypted data of the source device. It can also be a device name (e.g. /dev/urandom, which is useful for encrypted swap devices). Warning: luks does not support infinite streams (like /dev/urandom), it requires a fixed size key. So the first paragraph says "you can use /dev/urandom", and the second says "do NOT use /dev/urandom". Which part is correct? ;-) (and: please fix the manpage or ask for a bugreport) Regards, Christian Boltz -- Zeitreisen vermeide ich immer, sollen irgendwie ungesund sein. [Helga Fischer in suse-linux] --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Christian Boltz wrote:
I wonder how I should implement LUKS encrypted swap with random encryption at every boot.
You can't.
I tried the example from man crypttab: cr_md0 /dev/md0 /dev/random swap
Result: Swap not active - probably because /dev/random can only provide some bytes at boot time.
Use /dev/urandom
I then tested with cr_md0 /dev/md0 /dev/urandom swap
This seems to work (tested with "boot.crypto start /dev/md0"), but the manpage contradicts itsself:
· The third column key file specifies the file to use for decrypting the encrypted data of the source device. It can also be a device name (e.g. /dev/urandom, which is useful for encrypted swap devices). Warning: luks does not support infinite streams (like /dev/urandom), it requires a fixed size key.
So the first paragraph says "you can use /dev/urandom", and the second says "do NOT use /dev/urandom".
Which part is correct? ;-)
Both are correct. You can't use /dev/urandom for luks volumes (you always need a passphrase for those) but you can use it for volumes without the luks metadata. Even without luks metadata you can still use the algorithm used by luks ie aes-cbc-essiv:sha256. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (2)
-
Christian Boltz -
Ludwig Nussel