Bug 399298

Summary: encrypt swap partions by default on every boot using a random key
Product: [openSUSE] openSUSE 11.1 Reporter: Jörg Hermsdorf <funtasyspace>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED WONTFIX QA Contact: E-mail List <qa-bugs>
Severity: Enhancement    
Priority: P5 - None    
Version: Alpha 0   
Target Milestone: ---   
Hardware: All   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Jörg Hermsdorf 2008-06-11 14:42:54 UTC 
I think for security reasons, swap partitions should be encrypted by default in a way where a RANDOM encryption key is generated on EVERY boot, so users are not required to enter the key on every boot.

As the swap partition is also used for hibernation/suspend-to-ram this would raise the problem of not being able to decrypt the hibernation data on the next boot. Therefore I would suggest to automatically create a dedicated, encrypted hibernation file before hibernating and writing the RAM content into this file instead of writing into the swap partition. The key for this encrypted hibernation file should be derived from a password the user is requested to enter immediately after initiating the hibernation process (or by using a fingerprint reader if available for more convenience, but less security).

Though, an open question would be a solution for the case, when the user is not present to enter a password or swipe his finger because hibernation is done automatically (after an idle timeout or because of low battery).
Comment 1 Pavel Machek 2008-06-16 07:30:24 UTC 
(For hibernation, we can actually use RSA so that passphrase is only entered during resume. Stock s2disk should actually support that.)
Comment 2 Jörg Hermsdorf 2008-06-16 09:37:01 UTC 
Yes, I had this idea, too. We could use a hybrid encryption solution here. On hibernation, generate a random key and encrypt the hibernation file using a symmetrical cipher (e.g. twofish256) and encrypt that autogenerated symmetrical key using an asymmetric cipher (e.g. El-Gamal or RSA). This way, the user does not need to be present when the system hibernates. He only needs to enter the passphrase for his asymmetric private key to decrypt the autogenerated symmetric key which was used to encrypt the hibernation file.
Comment 3 Ludwig Nussel 2009-03-19 09:58:55 UTC 
this is not going to happen by default. However the method described here:
http://lizards.opensuse.org/2009/03/18/encrypted-root-file-system-on-lvm/
swamp is automatically encrypted also.