In environments such as government companies, users may want to secure their data which can include private customer details. To do so, Linux provides a good number of cryptographic techniques, which can be used to protect data on physical devices such as hard disks or a removable media. One such cryptographic technique uses the Linux Unified Key Setup-on-disk-format (LUKS). This technique allows for the encryption of Linux partitions.


LUKS has the following functionality:


  • An entire block device can be encrypted using LUKS. It’s well suited to protecting data on removable storage media or laptop disk drives.
  • Once encrypted, the contents of the encrypted block devices are random, thus making it useful for the encryption of swap devices.
  • LUKS uses an existing device mapper kernel subsystem.
  • It also provides a passphrase strengthener, which helps in protecting against dictionary attacks.


Configuring Encrypted Swap


1. Determine what device to use


You should not use the plain SCSI devices like /dev/sda, /dev/vdb to configure encrypted swap for the reasons mentioned later in the post. Lets take an example of multipath map (e.g., /dev/mapper/mpath1)


2. Choose a name for the dm-device


This name can be completely arbitrary; however, it will be used to form the full path to the swap device, i.e., /dev/mapper/encswap1.


3. Add a new entry to /etc/crypttab


Add a new entry to /etc/crypttab in the form “MAPPING DEV /dev/urandom swap”. For example, in our case the entry can be added as:

# vi /etc/crypttab
encswap1 /dev/mapper/volgroup-swaplv /dev/urandom swap


4. Update /etc/fstab


Add a new entry to /etc/fstab to activate the swap device /dev/mapper/encswap1. Again, using a UUID (as is normally common) will not work in this case due to the swap being recreated at each boot.

# vi /etc/fstab
/dev/mapper/encswap1    swap     swap    defaults    0 0


5. Reboot the server


If /etc/crypttab was edited properly, there should be no passphrase prompt during boot and the swap should be automatically activated. Use the following commands to investigate the activated swap:


a. Check if the new swap is activated:

# swapon -s


b. Visualize the relationship between devices:

# lsblk
# dmsetup ls --tree


c. See encryption details about the opened device:

# cryptsetup status encswap1


Do not use plain SCSI devices (/dev/sda, /dev/vdb) as encrypted swap

The most secure method for encrypting swap–recommended in this solution–involves automatically re-initializing swap on each boot (both the passphrase-less1 encryption provided by cryptsetup and the formatting provided by mkswap). For this reason, there is no crypt_LUKS UUID to be used in /etc/crypttab for opening the device. This could lead to a dangerous situation with plain SCSI devices like /dev/sda or /dev/vdb.2 Instead, make sure to use devices with deterministic names, e.g.: LVM logical volumes, /dev/mapper/… multipath storage, or GPT-formatted partitions referenced by PARTUUID3.


Was this answer helpful? 0 Users Found This Useful (1 Votes)