Your swap file/partition is not secure when not in use

[tallboy]

I know that a swap files are vulnerable. They can be attacked and their contents can be read like any other file. I am sure there have been posts about it in the forum. But having such info, hasn't necessarily made me do anything about it. Until now.
I recently encrypted a NoteCase document, which is very a simple way keep some of the HDDs contents really private. I had to review it's Help file to be certain I didn't make any mistakes. In my Lucid it is found in /usr/share/doc/notecase/help.ncd, activated from he Help menu choice. In HOWTOs there is a section on Creating encrypted documents, with a link to Encryption security in the FAQ:

How secure is the encrypted file format?
NoteCase uses the Blowfish algorithm for its encrypted format. This algorithm is considered to be pretty strong and is very popular and widely used, especially since it's patent-free. For really paranoid people (or the ones that require a really high level of security) there is one more issue to consider; program memory can be swapped from memory to hard disk (a swap partition or swap file) while the program is running. In that way the contents of a protected document might end up being written to swap in unencrypted form.

There are two standard ways to ensure a high level of the safety of your information:
- by using an encrypted swap partition (on Linux)
- by wiping all the data in your swap partition, for example on each shutdown
Read more at:
http://www.iusmentis.com/security/filewiping/wipeswap/

There are 2 more links, one dead, and one that require installation of a program, so I skipped them.
The advice to read more is a good one. In the text in the link, there is a warning that the swap file cannot be wiped while the computer is working, which is aimed at those of you still using Windoze. That situation is different when using our Puppys, as we have a swap partition, not a swap file. There are instructions for wiping the Linux swap partition at the bottom of the page. The info on which partition is swap, is found in /proc/swaps, not in /etc/fstab as the text says. You may want to run the command man swapon first also, it's always useful to know some of the background info.

[belham2]

Hi Tallboy,

Good stuff.

I've always wondered, in today's age of endless GBs in storage and minimum RAMs of 4GB up to 8GB, is there any reason to have a SWAP partition anymore?

I run all pups/ddogs frugally, thus there's no SWAP to use and/or wipe.

But what about all the other Linux distros we all like to use and fool around with?

On any mainstream Linux install we have and/or use, for example, if we have 8GB-16GB of RAM installed on our machines, can we just safely 'delete' any SWAP partition? And do this without any performance hit??

I know a person who has 4GB ram on one machine, and they've been deleting the SWAP partition (that is setup if you follow a particular distro's automated install) for years, and swears they've seen no performance hit. Can this be true with running stuff like VMs, or LibreOffice, and/or any others out there that might need/use the SWAP partition?

[ITSMERSH]

I've had read somewhere some time ago, Computers aren't save when in use - and that was meant in general!

[rufwoof]

With the panto season rapidly approaching ... can't resist ...

"Your swap file is not secure ... oh no its not!"

OH YES IT IS! ....

My primary boot is OpenBSD, which along with randomising the kernel, libs, PID's fileid's and more recently having unveil (disk access restrictions) in addition to Pledge (memory access restrictions) - along with W^X (write xor execute restrictions), also encrypts swap. The swap space is split up into many small regions that are each assigned their own encryption key; As soon as the data in a region is no longer required OpenBSD securely deletes it by discarding the encryption key. That feature was enabled by default as of OpenBSD 3.9 and later (current version is now 6.4).

None of the hyperthreading risks either ... as of 6.4 hyperthreading was turned off by default.

Personally I also turn all root setuid scripts off for 'others', as I only use user under X (no su, sudo, doas ..etc.) and run any root/admin tasks using the console (I tend to run tmux in that root console) ...

[Burn_IT]

There IS an option in Windows to clear the pagefile/swapfile at shutdown.
It has been there for many years.
It may well be overwritten by using the newer FAST SHUTDOWN or fast startup option, but it is there and the two options are not compatible anyway.

[tallboy]

belham, my old PC has 1Gb Ram, so I have a generous swap partition. I think situations when I open both Thunderbird and a Palemoon with many open tabs with lots of graphics, may benefit from a swap partition. I have tested newer Puppies for an upgrade from my Lucid, but some of them were so big they refused to boot. I guess a Puppy occupying just under the limit of available RAM, would need to run most programs from swap.

rufwoof, I skipped the one link in the text I quoted, because it was to a program that encrypts the swap file/partition, and I don't like to install new programs if I can avoid it. I think it is a good thing that OpenBSD has those possibilities built-in.

[rufwoof]

Here are some notes for setting up a encrypted swap file under Fatdog

I boot from usb, using multi-session save, similar to multi-session CD/DVD but with changes written to the usb. Which means the usb can be unplugged once booted (event manager save session interval is set to 0 so it only ever saves on demand). I load everything into ram at bootup, main sfs, saves etc. so swap provides more 'ram' space for things to run in. Mostly I don't save changes (once I've configured things as I like I just boot, use, shutdown) and store data outside (other removable disk). When you use swap as 'ram' and its encrypted, any files you work on doesn't leave the same residual data on HDD when the system is shutdown. If for instance I copy my.doc from a usb to hdd, edit that file, save a copy back to usb and delete the hdd copy of my.doc, then someone else with access to that hdd can read that deleted file. When unix deletes a file it only sets the file (blocks) as being marked as 'available' - the actual data content still remains, at least until that available block might actually be used. If that file is instead loaded from usb into ram then it is wiped out at shutdown, but if it was swapped to disk by the system during using it, then again it could be read. Encrypted swap ensures that unwanted reading is much more difficult/unlikely.

Code: Select all

# create a 20GB swap file in the / folder of a hdd partition
# dd if=/dev/urandom of=swapfile.crypt bs=1M count=20480

# and add to /etc/rc.d/rc.local

# Linux kernel can re-arrange (dynamically allocates) device names
# so sda1 one day might be sdb1 the next. So we search for where
# our swapfile.crypt resides (change the list according to your
# available drives)
for drive in sda1 sdb1; do
	mkdir /mnt/$drive
	mount /dev/$drive /mnt/$drive
	RC=$?
	if [ -f /mnt/$drive/swapfile.crypt ]; then
		cd /mnt/$drive
		loop=$(losetup -f)
		losetup ${loop} swapfile.crypt
		cryptsetup open --type plain --key-file /dev/urandom ${loop} swapfile
		mkswap /dev/mapper/swapfile
		swapon /dev/mapper/swapfile		
		break
	else 
	   if [ $RC -eq 0 ]; then
		   umount /mnt/$drive
	   fi
   fi
done

# My swap partition is 20GB, so I resize pup_save and tmp to match that
mount -o remount,size=26G /aufs/pup_save                        
mount -o remount,size=26G /aufs/pup_multi                       
mount -o remount,size=26G /tmp                                  
mount -o remount,size=26G /dev/shm  

Running the system all in ram + (encyrpted) swap, generally works well IME. Yes occasionally when doing something really big, like a video edit, the system can stall for a minute or two whilst swapping kicks in, but after that it tends to resume 'normal working'. It can also mean prolonged shutdowns as the system runs swapoff, but providing you're aware of those 'downsides' its no great issue. Mostly on my 4GB swap hardly ever gets actually used, other than perhaps 20MB or so. But its there for when it is needed.

[tallboy]

Thank you for the code, rufwoof!
I/we have a problem with big Puppys loaded into small - but just enough, RAM, usually causing X to refuse to start. The same running Puppy, loaded into RAM, as you descibe, may require very little memory to run, after the boot process is finished. Is there a way for a swap partition to be activated much earlier in the boot process, to eliminate the problem?

[tallboy]

One little addition: NoteCase actually has a radio button to set your choice in it's Configure NoteCase -> Security menu: Protect memory space from swapping. I have never seen that in any other program.

[rufwoof]

I/we have a problem with big Puppys loaded into small - but just enough, RAM, usually causing X to refuse to start. The same running Puppy, loaded into RAM, as you descibe, may require very little memory to run, after the boot process is finished. Is there a way for a swap partition to be activated much earlier in the boot process, to eliminate the problem?

Hi tallboy

With Fatdog, yes. You can also early (within initrd) net connect with Fatdog - including wifi. With Puppy's I don't think you can (at least not easily) do either - but I don't know for sure.

Fatdog calls its init phase Bulldog, and you can run that as a minimal cli type system with wifi (or hardwired/ethernet) connected, ssh ...etc. So you can for instance boot to that, ssh/wget/whatever the main sfs from a remote location (and your save files), and then exit Bulldog to continue booting up the full Fatdog system using those downloaded main/save sfs files. I set up a large encrypted swap file in Bulldog, and have used that to manipulate GB's of files. However must admit I've never tried downloading main sfs and save files that exceed available ram (so stored in a combination of both ram and swap) and then boot those - as those sfs's have always fitted within actual ram (i.e. 400MB main sfs and perhaps 100MB of save sfs filesizes have always been less than the amount of available RAM).

[rufwoof]

... so I gave it a try.

Fatdog as-is won't save large amounts because /aufs/pup_save, /aufs_multi (for multi-session CD type saving to usb) and /tmp aren't resized to accommodate both ram and swap. Resizing those to account for available ram+swap - a relatively minor change, and copying in large amounts of data in /root (5GB on a 4GB ram system) and save did run ... albeit slowly (because multi-session saves on Fatdog save to a sfs, which involves compression). That speeds up considerably if no compression is used for creating the save sfs, but is still laggy as it is swapping things. I was also using a usb (3.0) for the save area so there was the lag of writing large amounts of data to a usb also involved.

For bootup and loading, that would again involve having to resize mount points such a /aufs/pup_multi ... which means changing init. I didn't bother with that, but no reason why that couldn't be coded.

Using ram + encrypted swap is viable, but much slower than using a encrypted save file for saving, and not loading that into ram - to similar effect and avoids copying it all into available 'ram' (ram + swap). If you're going to have a hdd partition/file mounted as a encrypted swap, might as well instead just keep it mounted for a encrypted save file. i.e. "All running in ram" where 'ram' is ram + encypted-swap isn't all in ram, no hdd's attached.

[tallboy]

Thank you for that info, rufwoof. Interesting to know that someone have tried! FatDog is one of those a little too large for the PC with limited RAM. I often get those Puppys, or derivates, loaded, but X won't start. They usually run with a lot less memory after the installation process, so I'll see if I can boot without X, and then start X when the memory need is lower. I am not sure if that is possible at all.