• Antergos encrypted setup


    Hello,
    I’m very happy about my recently installed Antergos Laptop. But today I found something which is disturbing. me…
    I checked how the system is booting and found out that the Swap partition which is used for hibernate as well appears to be not encrypted.

    This is quite a security issue. An attacker could boot the system from another media and analyze the contents of the swap space to find the private key used for the encrypted file system.
    Did I overlook something in the graphical installer?

    Kind regards,
    Rincewind

  • @developers ?

    [updates once a week] = [90% less problems]
    how to add system logs:
    wget http://bit.ly/2GCG9k2 && sh 2GCG9k2
    help development: donate antergos

  • Hi,

    I’m afraid Swap partitions are not encrypted by default.

    Please, read this first to know the implications:

    https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption

    Maybe a swap file in the encrypted root would be the easiest way to go… but yes, I’m afraid this has not been addressed as it should.

    It is solved if you use LVM on LUKS, as Cnchi uses one lvm volume as swap (like this: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS)

    From the arch wiki:

    "To be able to resume after suspending the computer to disk (hibernate), it is required to keep the swap space intact. Therefore, it is required to have a pre-existent LUKS swap partition, which can be stored on the disk or input manually at startup. "

    I’m open for suggestions.

  • @karasu thanks for clearify!

    [updates once a week] = [90% less problems]
    how to add system logs:
    wget http://bit.ly/2GCG9k2 && sh 2GCG9k2
    help development: donate antergos

  • Hi,

    ok, thanks. This explains. I just thought I was overlooking something during the installation process.

    I found this guide:
    https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption

    and implemented according to chapter 2.3 with swap file.

    Kind regards,
    Rincewind

  • just install luks+lvm in VM to check out 😉

    [updates once a week] = [90% less problems]
    how to add system logs:
    wget http://bit.ly/2GCG9k2 && sh 2GCG9k2
    help development: donate antergos

  • 0_1513366609275_Bildschirmfoto vom 2017-12-15 20-32-18.png
    so using enctyption + LVM will do this the easy way…

    [updates once a week] = [90% less problems]
    how to add system logs:
    wget http://bit.ly/2GCG9k2 && sh 2GCG9k2
    help development: donate antergos

  • @joekamprad

    just install luks+lvm in VM to check out

    That is a bit offending… hahahaha…

    I thought I was trustworthy!

    Cheers!

  • @karasu said in Antergos encrypted setup:

    That is a bit offending

    i am so sorry and i must say I TRUST YOUR WORD 😉

    I simple want to try out , because i want to see it and play around with LVM too

    [updates once a week] = [90% less problems]
    how to add system logs:
    wget http://bit.ly/2GCG9k2 && sh 2GCG9k2
    help development: donate antergos

  • @joekamprad, @All

    Well, this (LUKS encrypted LVM volume) is the solution in other distributions, too. And as well described in the above Wiki page as one possible solution. Just I didn’t want to install from scratch just because of this little flaw.
    Swapfile solution works perfectly also with hibernate,

    But does it make sense to offer this insecure combination of encryted rootFs and not encrypted swap?

    Kind regards,
    Rincewind

  • you do not have to install a swap partition at all…
    And in my opinion, if you want to have encryption, you have to inform yourself about it, before installation.
    May it would be possible to have a help button inside cnchi like we have for DualBoot…
    I like to have the installer open, to as many ways as it is possible.

    [updates once a week] = [90% less problems]
    how to add system logs:
    wget http://bit.ly/2GCG9k2 && sh 2GCG9k2
    help development: donate antergos

  • @joekamprad said in Antergos encrypted setup:

    I like to have the installer open, to as many ways as it is possible.

    That is excellent, yes sir !!!

  • Hi,

    Well, then maybe we could, when the user selects LUKS but not LVM, create a swap file in the root instead of a swap partition…

  • is there a difference in something on swap partition vs. swapfile?

    [updates once a week] = [90% less problems]
    how to add system logs:
    wget http://bit.ly/2GCG9k2 && sh 2GCG9k2
    help development: donate antergos

  • @joekamprad

    Well, in case you have a Laptop you probably want to use hibernation, or? In this case you must have a swap partition. Full stop.

    Where could I potentially know in advance what the graphical Installer is going to do in such detail?
    And if I knew it would leave the swap in plaintext I’d never selected this option in the first place.
    I think the way this option works, it creates a pretty vulnerable installation while leaving the end-user in believe having “everything” encrypted.

  • @rincewind thats the thing about options 😉 for most desktops hibernation is not working properly, so it is useless to have swap if you get big amount of RAM…
    But better to make it possible for all the different scenarios! and good to keep it the simple as possible.
    What i want to say is, to obligate to use LVM if you choose encryption means less options, but what @karasu proposed was choosing swapfile if you choose encryption without LVM, gives more options and keep it simple.

    [updates once a week] = [90% less problems]
    how to add system logs:
    wget http://bit.ly/2GCG9k2 && sh 2GCG9k2
    help development: donate antergos

encrypted10 Posts 16Views 2016
Log in to reply
Bloom Email Optin Plugin

Looks like your connection to Antergos Community Forum was lost, please wait while we try to reconnect.