SWAP should always be inside crypto softRAID, right? (For OS crash dump data to be encrypted.)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

SWAP should always be inside crypto softRAID, right? (For OS crash dump data to be encrypted.)

Tinker
Hi misc@,

I looked through previous discussions on whether a SWAP partition
should be inside or outside the RAID partition when making a crypto
softraid.

The only argument I stumbled into was that it should be outside because
swap is encrypted anyhow and it would be unnecessary to double-encrypt
the swap.


That seems like a weak argument to me, because swap is generally used
rarely and so speed does not really matter anyhow, and, the swap
partition is always used also as dump partition, and dumps are *not*
encrypted.

For the case that a dump would happen, you want the OS to encrypt it
and the way to do that is to put the SWAP *inside* the RAID.


Maybe a crash-dump can be induced somehow. Maybe someone would get hold
of the HDD while the dump data is still on the swap partition because
the OS has not booted again, which would otherwise normally migrate
that dump data over to the filesystem.

This is an extreme consideration though as a comprehensive motivation
for a choice it appears to me to make all sense.


Thoughts, comments?

I would probably interpret no comments as that the SWAP should indeed
be located inside the RAID for this said reason.

Thanks,
Tinker

Reply | Threaded
Open this post in threaded view
|

Re: SWAP should always be inside crypto softRAID, right? (For OS crash dump data to be encrypted.)

trondd-2
On Thu, February 8, 2018 1:49 pm, Tinker wrote:

> Hi misc@,
>
> I looked through previous discussions on whether a SWAP partition
> should be inside or outside the RAID partition when making a crypto
> softraid.
>
> The only argument I stumbled into was that it should be outside because
> swap is encrypted anyhow and it would be unnecessary to double-encrypt
> the swap.
>
>
> That seems like a weak argument to me, because swap is generally used
> rarely and so speed does not really matter anyhow, and, the swap
> partition is always used also as dump partition, and dumps are *not*
> encrypted.
>
> For the case that a dump would happen, you want the OS to encrypt it
> and the way to do that is to put the SWAP *inside* the RAID.
>
>
> Maybe a crash-dump can be induced somehow. Maybe someone would get hold
> of the HDD while the dump data is still on the swap partition because
> the OS has not booted again, which would otherwise normally migrate
> that dump data over to the filesystem.
>
> This is an extreme consideration though as a comprehensive motivation
> for a choice it appears to me to make all sense.
>
>
> Thoughts, comments?
>
> I would probably interpret no comments as that the SWAP should indeed
> be located inside the RAID for this said reason.
>
> Thanks,
> Tinker
>

Assuming you are doing full disk encryption otherwise, put swap inside the
softraid disk.  The kernel is hardcoded to look on the boot disk to save
dumps.  If swap was is on sd0 but you decrypt a partition as sd1 and boot
from that, swap is no longer on the same disk.

Unless you override with config(8)

Tim.

Reply | Threaded
Open this post in threaded view
|

Re: SWAP should always be inside crypto softRAID, right? (For OS crash dump data to be encrypted.)

Tom Smyth
In reply to this post by Tinker
Afaik swap is encrypted anyway on OpenBSD

On 8 Feb 2018 6:52 PM, "Tinker" <[hidden email]> wrote:

Hi misc@,

I looked through previous discussions on whether a SWAP partition
should be inside or outside the RAID partition when making a crypto
softraid.

The only argument I stumbled into was that it should be outside because
swap is encrypted anyhow and it would be unnecessary to double-encrypt
the swap.


That seems like a weak argument to me, because swap is generally used
rarely and so speed does not really matter anyhow, and, the swap
partition is always used also as dump partition, and dumps are *not*
encrypted.

For the case that a dump would happen, you want the OS to encrypt it
and the way to do that is to put the SWAP *inside* the RAID.


Maybe a crash-dump can be induced somehow. Maybe someone would get hold
of the HDD while the dump data is still on the swap partition because
the OS has not booted again, which would otherwise normally migrate
that dump data over to the filesystem.

This is an extreme consideration though as a comprehensive motivation
for a choice it appears to me to make all sense.


Thoughts, comments?

I would probably interpret no comments as that the SWAP should indeed
be located inside the RAID for this said reason.

Thanks,
Tinker
Reply | Threaded
Open this post in threaded view
|

Re: SWAP should always be inside crypto softRAID, right? (For OS crash dump data to be encrypted.)

Kevin Chadwick-4
On Thu, 8 Feb 2018 19:39:39 +0000


> Afaik swap is encrypted anyway on OpenBSD

It is with a random key which is actually more secure than the softraid
key.

However to the OPS question relating to dumps.

I believe the answer is that dumps are helpful and OpenBSD is a
developer system primarily but you should disable them with sysctl for
production or if you have concerns.

Reply | Threaded
Open this post in threaded view
|

Re: SWAP should always be inside crypto softRAID, right? (For OS crash dump data to be encrypted.)

Tom Smyth
Thanks kevin i missed the dump part... agree with disable dump on prod
..enable on dev

On 8 Feb 2018 22:51, "Kevin Chadwick" <[hidden email]> wrote:

> On Thu, 8 Feb 2018 19:39:39 +0000
>
>
> > Afaik swap is encrypted anyway on OpenBSD
>
> It is with a random key which is actually more secure than the softraid
> key.
>
> However to the OPS question relating to dumps.
>
> I believe the answer is that dumps are helpful and OpenBSD is a
> developer system primarily but you should disable them with sysctl for
> production or if you have concerns.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: SWAP should always be inside crypto softRAID, right? (For OS crash dump data to be encrypted.)

Marcus MERIGHI
In reply to this post by Tinker
Hello Tinker,

there's a 2016-11 thread that's related:
"swap on encrypted softraid, performance penalty"

stsp@
https://marc.info/?l=openbsd-misc&m=143184355522545
tedu@
https://marc.info/?l=openbsd-misc&m=143206067713324

Marcus

[hidden email] (Tinker), 2018.02.08 (Thu) 19:49 (CET):

> Hi misc@,
>
> I looked through previous discussions on whether a SWAP partition
> should be inside or outside the RAID partition when making a crypto
> softraid.
>
> The only argument I stumbled into was that it should be outside because
> swap is encrypted anyhow and it would be unnecessary to double-encrypt
> the swap.
>
>
> That seems like a weak argument to me, because swap is generally used
> rarely and so speed does not really matter anyhow, and, the swap
> partition is always used also as dump partition, and dumps are *not*
> encrypted.
>
> For the case that a dump would happen, you want the OS to encrypt it
> and the way to do that is to put the SWAP *inside* the RAID.
>
>
> Maybe a crash-dump can be induced somehow. Maybe someone would get hold
> of the HDD while the dump data is still on the swap partition because
> the OS has not booted again, which would otherwise normally migrate
> that dump data over to the filesystem.
>
> This is an extreme consideration though as a comprehensive motivation
> for a choice it appears to me to make all sense.
>
>
> Thoughts, comments?
>
> I would probably interpret no comments as that the SWAP should indeed
> be located inside the RAID for this said reason.
>
> Thanks,
> Tinker
>

Reply | Threaded
Open this post in threaded view
|

Re: SWAP should always be inside crypto softRAID, right? (For OS crash dump data to be encrypted.)

Tinker
Hi,

Thanks for your comments.

(Marcus, you meant only this 2015-05 thread right?
https://marc.info/?t=143181498300001 )


I think I like to keep dumps enabled also on a production machine. Even
if it's incredibly rare, it is possible for a production machine to
crash, and the dump could be instructive.

(For a production machine with dumps disabled, indeed the default swap
crypto is sufficient, and indeed using swap in softraid is
cryptographically redundant.)

I realize the thread subject is not optimal ("SWAP should always be
inside crypto softRAID, right? (For OS crash dump data to be
encrypted.)".

Here is the updated subject and query:


"If I want to have crash dumps enabled, while enjoying the crypto
softraid's physical data theft protection for all data, THEN my SWAP
partition(s) should be inside the softraid, right?".


Thoughts, criticism?

Thanks,
Tinker

On February 9, 2018 6:07 PM, Marcus MERIGHI <[hidden email]> wrote:
..
> there's a 2016-11 thread that's related:
> "swap on encrypted softraid, performance penalty"
>
> stsp@
> https://marc.info/?l=openbsd-misc&m=143184355522545
> tedu@
> https://marc.info/?l=openbsd-misc&m=143206067713324

On February 9, 2018 6:55 AM, Tom Smyth <[hidden email]> wrote:
>Thanks kevin i missed the dump part... agree with disable dump on prod
> ..enable on dev

On February 9, 2018 6:49 AM, Kevin Chadwick <[hidden email]> wrote:

>On Thu, 8 Feb 2018 19:39:39 +0000
>>Afaik swap is encrypted anyway on OpenBSD
>>
> It is with a random key which is actually more secure than the softraid
> key.
>
> However to the OPS question relating to dumps.
>
> I believe the answer is that dumps are helpful and OpenBSD is a
> developer system primarily but you should disable them with sysctl for
> production or if you have concerns.

On February 9, 2018 3:39 AM, Tom Smyth <[hidden email]> wrote:
> Afaik swap is encrypted anyway on OpenBSD

On February 9, 2018 3:30 AM, trondd <[hidden email]> wrote:
..
> Assuming you are doing full disk encryption otherwise, put swap inside the
> softraid disk.  The kernel is hardcoded to look on the boot disk to save
> dumps.  If swap was is on sd0 but you decrypt a partition as sd1 and boot
> from that, swap is no longer on the same disk.
>
> Unless you override with config(8)
>
> Tim.

Reply | Threaded
Open this post in threaded view
|

Re: SWAP should always be inside crypto softRAID, right? (For OS crash dump data to be encrypted.)

Marcus MERIGHI
[hidden email] (Tinker), 2018.02.22 (Thu) 06:04 (CET):
> (Marcus, you meant only this 2015-05 thread right?
> https://marc.info/?t=143181498300001 )

yes, I messed the links up! Thanks for the correction.

> I think I like to keep dumps enabled also on a production machine. Even
> if it's incredibly rare, it is possible for a production machine to
> crash, and the dump could be instructive.
>
> (For a production machine with dumps disabled, indeed the default swap
> crypto is sufficient, and indeed using swap in softraid is
> cryptographically redundant.)
>
> I realize the thread subject is not optimal ("SWAP should always be
> inside crypto softRAID, right? (For OS crash dump data to be
> encrypted.)".
>
> Here is the updated subject and query:
>
> "If I want to have crash dumps enabled, while enjoying the crypto
> softraid's physical data theft protection for all data, THEN my SWAP
> partition(s) should be inside the softraid, right?".

From the thread you cited above...
https://marc.info/?l=openbsd-misc&m=143185991125110&w=2
  stsp@:
  Keeping swap on the same disk as the root filesystem has some
  advantages.  For historical reasons the system expects this in various
  places.  More things (such as hibernate) will work out of the box this
  way.

So if you have Full Disk Encryption (FDE) then your swap device should
be inside the encrypted disk, yes.

And, keep swap encryption *on*, although it's on a softraid(4) encrypted
device, according to tedu@:
https://marc.info/?l=openbsd-misc&m=143206067713324&w=2
  [...] to the contrary, uvm swap encrypt does a better job of expiring
  keys and making old data unrecoverable.

Yet another point: consider abandoning suspend/hibernation with FDE!

Marcus

> On February 9, 2018 6:07 PM, Marcus MERIGHI <[hidden email]> wrote:
> ..
> > there's a 2016-11 thread that's related:
> > "swap on encrypted softraid, performance penalty"
> >
> > stsp@
> > https://marc.info/?l=openbsd-misc&m=143184355522545
> > tedu@
> > https://marc.info/?l=openbsd-misc&m=143206067713324
>
> On February 9, 2018 6:55 AM, Tom Smyth <[hidden email]> wrote:
> >Thanks kevin i missed the dump part... agree with disable dump on prod
> > ..enable on dev
>
> On February 9, 2018 6:49 AM, Kevin Chadwick <[hidden email]> wrote:
> >On Thu, 8 Feb 2018 19:39:39 +0000
> >>Afaik swap is encrypted anyway on OpenBSD
> >>
> > It is with a random key which is actually more secure than the softraid
> > key.
> >
> > However to the OPS question relating to dumps.
> >
> > I believe the answer is that dumps are helpful and OpenBSD is a
> > developer system primarily but you should disable them with sysctl for
> > production or if you have concerns.
>
> On February 9, 2018 3:39 AM, Tom Smyth <[hidden email]> wrote:
> > Afaik swap is encrypted anyway on OpenBSD
>
> On February 9, 2018 3:30 AM, trondd <[hidden email]> wrote:
> ..
> > Assuming you are doing full disk encryption otherwise, put swap inside the
> > softraid disk.  The kernel is hardcoded to look on the boot disk to save
> > dumps.  If swap was is on sd0 but you decrypt a partition as sd1 and boot
> > from that, swap is no longer on the same disk.
> >
> > Unless you override with config(8)
> >
> > Tim.
>