-
-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encrypt dom0 swap #79
base: master
Are you sure you want to change the base?
Conversation
Marking as draft because it is specific to the LVM install choice. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just found out I never clicked "submit review" here. Good thing that github kept the pending comment for a few years...
This encrypts dom0 swap with a randomly generated key, which helps prevent its contents from being recovered later.
5252dca
to
3780cdc
Compare
# Ensure that this unit comes after its backing device, | ||
# and is shut down if its backing device is shut down. | ||
After=dev-qubes_dom0-swap.device | ||
BindsTo=dev-qubes_dom0-swap.device |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even in LVM setup, the VG name can be different, and LV name can be different too...
Previous version also had this issue, but now it's all over the place instead of just StartExec line.
Maybe it's possible to rely on generators (and maybe the default ones will be enough)? Like, setup backing device via /etc/crypttab, and then use /dev/mapper/swap as the actual swap (via /etc/fstab).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That’s absolutely fine, and it’s what I do on my local system. I have this line in /etc/crypttab
:
swap /dev/qubes_dom0/swap /dev/urandom plain,swap,cipher=aes-xts-plain64
And this in /etc/fstab
(modulo padding whitespace):
/dev/mapper/swap none swap defaults 0 0
The reason that this PR does not take that approach is that these files are generated by Anaconda, which I have never touched before. I can try, though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is Anaconda the correct place to make this change? I’m really unsure how to make changes to /etc/fstab
and /etc/crypttab
.
# Ensure that this unit comes after its backing device, | ||
# and is shut down if its backing device is shut down. | ||
After=dev-qubes_dom0-swap.device | ||
BindsTo=dev-qubes_dom0-swap.device |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That’s absolutely fine, and it’s what I do on my local system. I have this line in /etc/crypttab
:
swap /dev/qubes_dom0/swap /dev/urandom plain,swap,cipher=aes-xts-plain64
And this in /etc/fstab
(modulo padding whitespace):
/dev/mapper/swap none swap defaults 0 0
The reason that this PR does not take that approach is that these files are generated by Anaconda, which I have never touched before. I can try, though.
Yes. And the upgrade tool (QubesOS/qubes-issues#9317). Sadly, Anaconda is quite complicated as storage goes, with logic split between anaconda itself and "blivet" package... But maybe it has encrypted swap support somewhere there already? |
This encrypts dom0 swap with a randomly generated key, which helps
prevent its contents from being recovered later.