Yes, we have no hibernate today

Von Fugal von at fugal.net
Mon Jun 28 09:05:51 MDT 2010


<quote name="Charles Curley" date="Thu, 24 Jun 2010 at 12:48 -0600">
> On Thu, 24 Jun 2010 11:26:57 -0600
> Shane Hathaway <shane at hathawaymix.org> wrote:
> > It sounds like you're using hibernation with an encrypted swap
> > device. Is that even possible? ;-)  Has it worked before?
> 
> I have no idea. Considering the security implications of running
> without an encrypted swap partition, I hope so.

Indeed.

> But for serious security concerns (while going through the Terminally
> Stupid Agency's line to get fondled, riding in NYC taxis, e.g.), shut
> the thing down completely. If you have an encrypted swap area or
> encrypted file system(s), remember that those are mounted during the
> suspension or hibernation, so if bad guys can get the machine up from
> suspension or hibernation, they have bypassed your encryption.

Precisely, as HHH has addressed.

> With that in mind, maybe I should get rid of the encryption in the
> swap partition?

What ever for? This makes it more secure how?

Here's what I would do if I were really worried about my memory and my
data while travelling and also worried about using hibernate.

Use cryptswap! Swap may not always have useful stuff in it, and it
probably doesn't get keystrokes to your pgp keys, but it has other
things like keys for filesystem encryption, ESPECIALLY if you hibernate.
Hibernation pushes ALL memory to the disk. So ANYTHING related to
actively decrypting any mounted filesystem or a currently unlocked pgp
key (it has to have a copy of the unlocked version in memory to USE the
key) WILL get pushed to disk, so yes, you better have it on an encrypted
swap.

Then, I would get one of those teeny tiny usb flash drives, put the key
for the cryptswap on it. I am sure there HAS to be a way to configure
initrd to read the cryptswap key off of the usb drive, though I've never
done it. Then, when you hibernate, simply pull out the usb drive and put
it somewhere separate from your laptop, like, in a filling. ;) Or maybe
just a pocket. Then you could not resume from hibernate without the
drive, with the encryption key, in the laptop.

As far as not using hibernate when you travel, we as humans are
fallible. If you use hibernate at all, and you're worried about this
stuff, then that is not a good aproach. You could have used your laptop
tuesday, hibernated it that night. Not used it at all on wednesday, then
pack it up for the airport on thursday. You also were lucky enough to
remember that it was hibernated, but you're running late, and don't have
time to resume and shut down again... you get the idea. You can pull out
a usb drive when you're running late.

> However, hibernation
> writes a memory image to a swap partition, where bad guys can recover
> it.
Not if it's encrypted, and you've secured the key as I described or
password protect the cryptswap resume (this is possible right?)

> Suspension does not, so it leaves one less thing around for the bad
> guys to recover.
> http://www.charlescurley.com/blog/archives/2009/12/05/how_to_secure_your_laptop_before_crossing_the_border/index.html
Someone else mentioned this is not true. It is however much more
involved to get stuff off of volatile memory than to read a stable swap.
But also it is entirely possible that there is sensitive stuff in swap
anyway...

Just use cryptswap, and employ a method of making the cryptswap
unavailable without a password or a detachable device.

I also sure hope that when you boot on a configured cryptswap, that the
OS doesn't 'know' some static key to the encryption and enable the swap
the same way each time... obviously it would have to for hibernate,
which is why I would have it 'know' that key on a separate device, or
have it be password protected. But for a cold boot, say someone presses
the power, waits until initrd is done setting up the cryptswap, then
interrupts and freezes the ram and recovers the key to cryptswap, and
then recovers the swap from last time you shut down... no, it won't be
clean!! I really don't know how it works though, so I'd be interested if
someone can shed some light on it. New random encryption key on
cryptswap for each boot would be the way it should be.

Von Fugal
-- 
Don't believe everything you think.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://plug.org/pipermail/plug/attachments/20100628/1fefbddf/attachment.bin 


More information about the PLUG mailing list