Fedora Security :: Encrypting The Swap Partition While /dev/path Constantly Changes?
Aug 10, 2011
I would like to encrypt my swap partition ...During installation, I tried to select the "encrypt partition" choice, but it needed a passphrase.After installation, I tried to encrypt my partition ... I followed this article: The problem is that my swap partition always changes its path ...When I first booted the system, it was /dev/sda10, next it became /dev/sdc10, now it is /dev/sdb10. This is probably the reason why in fstab all entries are according to UUID.However, the swap partition is not fond of UUIDs ! I tried to mkswap /dev/<current swap partition> -L Swap, I received a UUID, puted it in /etc/crypttab ... it worked for the first time ... but the second time... did not.
As part of making a encrypted private folder i told encfs to encrypt swap space on my pc knowing that this would probably break sleep and hibernation. That said i just turned on ubuntu for 5 mins, had to go away for a bit, when i came back to unlock the screen my password was not being accepted, and another 5 mins later the screen said that my session had timed out-i had to do a cold reboot Does this mean i cant lock the screen anymore?
I have Kubuntu 11.04 64-bit installed (software upgrade from 10.10) and I have a separate /home partition. I want to encrypt my /home partition (and perhaps the swap partition as well) but I don't want to have to reinstall Kubuntu. (Mostly because it was a software upgrade and I don't have an 11.04 disc.) I found a tutorial for Encryptfs via one of the stickies that mentions post-install migration, but it says that using Encryptfs on a separate /home partition is more complicated than if it were part of the root partition and that the CDs don't have any software to preserve and configure existing encrypted /home partitions. (Granted this tutorial is made for 9.04, so things may have changed.)
Also, this tutorial makes it sound like if you have your /home directory encrypted that the encrypted data is stored in a folder on the root partition. Is it done the same way if the /home directory is on its own partition? Because I don't think my root partition is large enough to have all of my /home data. (I purposely kept it small because the root partition doesn't seem to get very large.)
Has anyone tried encrypting the boot partition to prevent the kernel from being modified. Iv tried following this but I'm running into issues when building. [URL] Im using the source from bzr checkout [URL] Last time I tried I screwed grub and it wouldnt boot.
i have recently installed thunderbird on my fedora 11 box and so far so good. i am interested in encrypting my emails and digitally signing them as well. does anyone have documentation as to how i can do this? i messed around with it last night but i was not able to import a valid certificate.
I'm installing fedora 12 on a laptop using the live cd, and I have a few questions about the encryption process.
First, I'd like to fill the drive with random data. I've read the fedora documentation and it suggests using the following command: dd if=/dev/urandom of=<device>. The installer didn't offer an opportunity to do this, so I opened a terminal and typed the command. I expected it to take hours on my 160 gig hard drive, but it only took about 3 minutes, and indicated about 600 megs of data had been written. Did I do it correctly? According to palimpsest, my boot partition is sda1 and the other partition is sda2, so that's the one ran the command with.
Second, I need some advice on what to encrypt. The installer shows me the following layout after I select encryption:
LVM Volume Groups
Hard Drives
I know I can't encrypt boot, but I can encrypt lv_root and lv_swap. But is it necessary to do that? And tell me the pros and cons of using a boot loader password?
I've never encrypted a disk before; I'm following the Arch wiki (I'm a newbie, basically). Should I try and encrypt my swap partition (I've got 512 MB RAM, 1 GB swap)? Ideally, I'd like to make it so it's not feasible for someone (even a very skilled someone) to access my files (and system -- I'm encrypting /), but still make it fairly fast and usable for day-to-day operations. If it matters any, I'm using JFS.
If this is correct [URL] I can expect that it will take more then 16 days to fill my 2TB partition from /dev/urandom. That's not workable for me. dd if=/dev/urandom of=/dev/sdxx has been running for 36 hours, and I need to finish setting up the filesystem. But I also need to make a "professional effort" at encrypting the partition. Ok, so I can try
Code: sudo /sbin/badblocks -c 10240 -s -w -t random -v /dev/sdxx So, what is "10240" doing there? Yes, I rtfm, "is the number of blocks which are tested at a time", but is that for the partition size? If so, then I would want to increase it to 204800 for a 2TB partition, right? If not, what should I do?
I have an Ubuntu 10.04.1 LTS server that I set up a while back and I am considering encrypting the whole box. I store everything on the server and if it were stolen from a home robbery it could be quite devastating. The server is using two 750 GB SATA hard drives formatted with LVM. Inside the LVM I have a small partition on the first drive for the OS, SWAP, and everything else on the first and second drive is /var/media which is where I store all the data. I have set up an encrypted LVM on my laptop but that was during the install using the automatic method.
I can't figure out how to do what I want to do and I don't want to risk destroying the data on the server. What I would like is to non-destructively encrypt the server (System, SWAP, and DATA partitions) similar to how TrueCrypt works on Windows and I'd like the encryption key to be stored on a USB thumb drive so when the server boots it requires a hardware key. (And have the encryption key backed up online in case the flash drive dies.) And I'd like to use AES 256.
We use a squid proxy server for all http traffic. Is there any way to configure squid so that all traffic which squid and workstation communicates is SSL and encrypted ?
I encrypted my hard drive on my media PC but it's really annoying having to type in a password every time I turn it on. I chose a short password so it was quick and easy to type in but is it worth encrypting data with a weak password?If the computer is suspended, someone could come along and resume the computer. They would be presented with a locked GNOME session) but the data would be unencrypted; does this go against encrypting the hard drive? Or does the locked GNOME session provide enough security to keep an intruder out?
I currently have my home folder encrypted with 128 bit encfs but i have the back up of that 'in the clear' on my back up hard drive. I am not that great with complicated instructions and especially the terminal so what if any is the easiest program to encrypt with?
What is the easiest way to encrypt plain text content with a password only? I need to encrypt client login information, but I hate dealing with all the unnecessary complexities of Linux's encryption systems.
I know I am going to get a bunch of people telling me how perfect Seahorse and whatever is, but Seahorse and the default /home directly encryption have both given me too many problems when decrypting my information. I prefer to preserve my data rather than using these methods.
On my laptop (Dell Studio 1745) w/500GB HD, I have a common data partition shared by openSUSE. Fedora, FreeBSD, and windoze 7 currently. I would like to encrypt this partition (/Common) and have it accessible from all distros either with a passphrase key in /root or on a flash key. I've been researching on the web and there seem to be several possibilities using eCryptfs, Luks, cryptosetup, or any of several methods.
My question is, what have people here used and how well did it work? Also, what was required for setup (I'll probably have to explain/teach it to my wife who is technology challenged-but I still love her anyway) and my daughter who's just getting into linux. I would like to be able to keep the entire directory on the hard drive but also have the ability to copy it to external USB device for transport.
So I was wondering about the dilemma of how to encrypt the password file on a key card to unlock your harddrive without having to enter any password. I came to the conclusion that that the scripts could do this without storing any passwords in plane text them self. Have a few extra steps to the scripts that would:
1. Read the UUID of any disks coming in.
2. Attempt to use that ID to decrypt a password file stored in the initrd.
3. Use the decrypted password file to unlock the the keycard partition.
4. THEN use the password files on the keycard to decrypt the main partition and boot the system.
However, if somebody stole your key card and didn't know what the unencrypted information was, then it's harmless for them to have it anyway. And if they did know, you wouldn't be any better off with it being encrypted because they probably can gain access to your computer anyway; leaving them to just pop the key card in and automatically decrypt the drive.
I suppose encrypting the keycard would give you extra assurance that the information would be much harder to recover if you destroyed the key card in a hurry. So would this extra security step even be worth it?
I guess the most secure thing would be to only have a password and type it in every time... unless you are concerned about the aliens/government stealing that from your brain which would probably mean they wouldn't need your password anyway.
I have a small disk and I want to resize to 2 gb the swap partition, how I can do?
[root@server12 ~]# lvdisplay --- Logical volume --- LV Name /dev/vg_fedora11/lv_root VG Name vg_fedora11 LV UUID Zwl9te-GQ1j-5Py3-Jiz0-JFAY-sy7n-iaV2TP LV Write Access read/write LV Status available # open 1 LV Size 52.32 GB Current LE 13393 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 253:0
--- Logical volume --- LV Name /dev/vg_fedora11/lv_swap VG Name vg_fedora11 LV UUID k61vCI-YAdI-XgNX-xRaG-B7jY-CTMQ-LKOjwk LV Write Access read/write LV Status available # open 1 LV Size 3.92 GB Current LE 1004 Segments 1 Allocation inherit Read ahead sectors auto - currently set to 256 Block device 253:1
I have the swap partition configured normally in fstab but it doesn't automount when I boot up. Not only that but I can't manually mount it either (ie with 'swapon -a', 'swapon -L /dev/sda7' etc). When I try I get this error -
I've created a /tmp partition on a server that I would like to encrypt in a fashion that doesn't require a password to be entered on boot because this server is in a remote data center. Storing the password on the server so that it can automatically boot would obviously defeat the purpose of encrypting in the first place. Skipping automounting is another option but I'd really like to avoid that because there are a number of other services that would have to be suspended until the /tmp partition is online.
I found this article designed for centos (HowTos/EncryptTmpSwapHome - CentOS Wiki) which seems perfect since it generates a key randomly on boot and that key is destroyed and regenerated on each successive boot. However, the script doesn't seem to work on openSUSE - it throws errors saying . /etc/init.d/functions doesn't exist, restorecon command not found, action command not found, etc. Is there an openSUSE-ish way to achieve promptless partition encryption?
I want to encrypt Full partition instead of creating a file and encrypting it, and also want to move this disk to another server. do i need some files also (that hold keys) with my self on new server. i am using FC11.
I have a brand new thinkpad X301 with 4GB of RAM and thinking of getting fedora 11 on it. The plan is to have it triple boot with vista/seven and hopefully OSx86. I am aware of the 4 primary partitions limit on an MBR disk. I was thinking of having a swap file instead of swap partition and not creating a boot partition as well. If I install the boot loader(GRUB?) on the root partition will I be able to boot it without any problems by using vista's boot loader?
Or Maybe I should install GRUB on the MBR and add all the other operating systems on it? Does anyone have any objections for not creating a swap partition or a boot partition? When comes to desktop environment I've been using KDE in the past, is there any major advantage of using Gnome over it? KDE seems to look really nice on fedora where Gnome is maybe more stable?
If I reboot I get the message "/dev/mapper/swap" doesn't exist. It seems, that crypsetup doesn't setting up the encrypted block device. SElinux is in permissive mode.
I wanted to delete the Snow Leopard partition and format the Swap Disk partition to something else. exFat was causing major file size bloat on small files. QT sdk bloated to like 11 gigs or something ridiculous like that. Anyways, I loaded up an Ubuntu 10.04 LTS live cd and gparted then deleted the Snow Leopard partition. Gparted said "Mission Accomplished" and tried to rescan the drive, but never found it. At this point I restarted the computer, a dell laptop, which didn't boot with an unable to find a bootable device error. The ubuntu live cd doesn't see the drive anymore. gparted scans for drives indefinitely and fdisk -l has no output.
I was reading another thread about someone with a bad partition table and I decided to join this forum. I'm not going to take any drastic actions with the partition (/dev/sda3) in question. I am going to wait for instructions on what to do first. I am not very good with Linux and need some hand holding. System: DELL 4550 Dual-Booted with XP and Ubuntu. Works OK, just no swap. Well, here's what I did: I deleted a partition for Windows XP Pro because it was a trial, and it ran out. I then decided to slide the swap partition for the Ubuntu Linux that I dual-boot into over. (If this was successful, I was going to try expanding the root partition to take up the unused space.) I used Gparted on a CD to do this, as I figured it was safe to do.
I now cannot mount the swap space at bootup (and have to go into a backup version of the OS), although I can use Gparted in Linux to execute the "swapon" command, and it appears that it worked because I now see "swapoff" as an option on the context menu. (I actually don't even need a swap partition, except to hibernate.) If I highlight the swap partition and click on "Drive" on Gparted's menu bar and select "Create Partition Table", it will erase all data on /dev/sda, so how do I fix the bad partition table non-destructively?
During a recent install I made the leap to encryption,but /boot must remain unencrypted.Is there really any legitimate security risk to having an unencrypted /boot partition? I mean basically someone can just see what kernel you're running which they could see during boot anyways right? Oh I and keep all my financial documents in /boot/finances/ (haha ok not really, but I am serious about the first part).
I am having issues with Grub 2 after installing Debian 7.8.0.The computer is a HP Pavilion 500-307nb. I made the original harddrive /dev/sdb and inserted a Samsung Evo 840 as /dev/sda. From the original hard drive (/dev/sdb), I wiped the windows partition, but left all other partitions unchanged (in case I would ever want to recover the desktop to its original state). I replaced the wiped windows partition with a swap partition and an LVM partition.These are my hard drive partitions:
/dev/sda (Samsung Evo 840)
Number Start End Size File system Name Flags 1 1049kB 3146kB 2097kB primary bios_grub 2 3146kB 944MB 941MB ext4 boot 3 944MB 94.4GB 93.4GB host lvm 4 94.4GB 1000GB 906GB guests lvm
[code]....
The partition /dev/sda3 has 2 logical volumes with filesystem ext4 that I mount to / and /home.The partition /dev/sda2 is mounted to /boot..When I install like this, Debian installs fine, however Grub2 is not installed correctly.Debian installs grub-pc which seems not able to boot the gpt partition. So I boot the Debian CD in rescue mode and execute:
mount /dev/sda2 /boot aptitude purge grub-pc aptitude -y install grub-efi
After rebooting, I come in the grub rescue shell, which says: error: no such device: 986f2176--4a4b-4222-83b9-8636a034b3c7.
When I then enter in the grub rescue shell: set boot=(hd0,gpt2) set prefix=(hd0,gpt2)/grub insmod normal normal
Grub and Debian start up correctly.why can Grub not start up automatically correctly? Where does the UUID 986f2176--4a4b-4222-83b9-8636a034b3c7 come from? I have reinstalled Grub several times, I have reinstall Debian several times, I have even wiped all partitions from /dev/sda and recreated a new gpt table with parted and manually set the partitions in parted. Still on each reinstallation, Grub fails because it cannot find exactly the same UUID. Since this UUID is always the same, it must be stored somewhere, but it cannot be the partitions, I have wiped them and the partition table several times.
I did though a firmware update of the Samsung Evo 840 before reinstallation, could this be a cause?Also the problem is not in grub.cfg. Grub starts correctly if I enter the commands above in the grub rescue screen and the UUID value does not appear there.
