Discussion:
SWAP should always be inside crypto softRAID, right? (For OS crash dump data to be encrypted.)
(too old to reply)
Tinker
2018-02-08 18:49:40 UTC
Permalink
Raw Message
Hi misc@,

I looked through previous discussions on whether a SWAP partition
should be inside or outside the RAID partition when making a crypto
softraid.

The only argument I stumbled into was that it should be outside because
swap is encrypted anyhow and it would be unnecessary to double-encrypt
the swap.


That seems like a weak argument to me, because swap is generally used
rarely and so speed does not really matter anyhow, and, the swap
partition is always used also as dump partition, and dumps are *not*
encrypted.

For the case that a dump would happen, you want the OS to encrypt it
and the way to do that is to put the SWAP *inside* the RAID.


Maybe a crash-dump can be induced somehow. Maybe someone would get hold
of the HDD while the dump data is still on the swap partition because
the OS has not booted again, which would otherwise normally migrate
that dump data over to the filesystem.

This is an extreme consideration though as a comprehensive motivation
for a choice it appears to me to make all sense.


Thoughts, comments?

I would probably interpret no comments as that the SWAP should indeed
be located inside the RAID for this said reason.

Thanks,
Tinker
trondd
2018-02-08 19:30:55 UTC
Permalink
Raw Message
Post by Tinker
I looked through previous discussions on whether a SWAP partition
should be inside or outside the RAID partition when making a crypto
softraid.
The only argument I stumbled into was that it should be outside because
swap is encrypted anyhow and it would be unnecessary to double-encrypt
the swap.
That seems like a weak argument to me, because swap is generally used
rarely and so speed does not really matter anyhow, and, the swap
partition is always used also as dump partition, and dumps are *not*
encrypted.
For the case that a dump would happen, you want the OS to encrypt it
and the way to do that is to put the SWAP *inside* the RAID.
Maybe a crash-dump can be induced somehow. Maybe someone would get hold
of the HDD while the dump data is still on the swap partition because
the OS has not booted again, which would otherwise normally migrate
that dump data over to the filesystem.
This is an extreme consideration though as a comprehensive motivation
for a choice it appears to me to make all sense.
Thoughts, comments?
I would probably interpret no comments as that the SWAP should indeed
be located inside the RAID for this said reason.
Thanks,
Tinker
Assuming you are doing full disk encryption otherwise, put swap inside the
softraid disk. The kernel is hardcoded to look on the boot disk to save
dumps. If swap was is on sd0 but you decrypt a partition as sd1 and boot
from that, swap is no longer on the same disk.

Unless you override with config(8)

Tim.
Tom Smyth
2018-02-08 19:39:39 UTC
Permalink
Raw Message
Afaik swap is encrypted anyway on OpenBSD

On 8 Feb 2018 6:52 PM, "Tinker" <***@protonmail.ch> wrote:

Hi misc@,

I looked through previous discussions on whether a SWAP partition
should be inside or outside the RAID partition when making a crypto
softraid.

The only argument I stumbled into was that it should be outside because
swap is encrypted anyhow and it would be unnecessary to double-encrypt
the swap.


That seems like a weak argument to me, because swap is generally used
rarely and so speed does not really matter anyhow, and, the swap
partition is always used also as dump partition, and dumps are *not*
encrypted.

For the case that a dump would happen, you want the OS to encrypt it
and the way to do that is to put the SWAP *inside* the RAID.


Maybe a crash-dump can be induced somehow. Maybe someone would get hold
of the HDD while the dump data is still on the swap partition because
the OS has not booted again, which would otherwise normally migrate
that dump data over to the filesystem.

This is an extreme consideration though as a comprehensive motivation
for a choice it appears to me to make all sense.


Thoughts, comments?

I would probably interpret no comments as that the SWAP should indeed
be located inside the RAID for this said reason.

Thanks,
Tinker
Kevin Chadwick
2018-02-08 22:49:20 UTC
Permalink
Raw Message
On Thu, 8 Feb 2018 19:39:39 +0000
Post by Tom Smyth
Afaik swap is encrypted anyway on OpenBSD
It is with a random key which is actually more secure than the softraid
key.

However to the OPS question relating to dumps.

I believe the answer is that dumps are helpful and OpenBSD is a
developer system primarily but you should disable them with sysctl for
production or if you have concerns.
Tom Smyth
2018-02-08 22:55:29 UTC
Permalink
Raw Message
Thanks kevin i missed the dump part... agree with disable dump on prod
..enable on dev
Post by Kevin Chadwick
On Thu, 8 Feb 2018 19:39:39 +0000
Post by Tom Smyth
Afaik swap is encrypted anyway on OpenBSD
It is with a random key which is actually more secure than the softraid
key.
However to the OPS question relating to dumps.
I believe the answer is that dumps are helpful and OpenBSD is a
developer system primarily but you should disable them with sysctl for
production or if you have concerns.
Marcus MERIGHI
2018-02-09 10:07:24 UTC
Permalink
Raw Message
Hello Tinker,

there's a 2016-11 thread that's related:
"swap on encrypted softraid, performance penalty"

stsp@
https://marc.info/?l=openbsd-misc&m=143184355522545
tedu@
https://marc.info/?l=openbsd-misc&m=143206067713324

Marcus
Post by Tinker
I looked through previous discussions on whether a SWAP partition
should be inside or outside the RAID partition when making a crypto
softraid.
The only argument I stumbled into was that it should be outside because
swap is encrypted anyhow and it would be unnecessary to double-encrypt
the swap.
That seems like a weak argument to me, because swap is generally used
rarely and so speed does not really matter anyhow, and, the swap
partition is always used also as dump partition, and dumps are *not*
encrypted.
For the case that a dump would happen, you want the OS to encrypt it
and the way to do that is to put the SWAP *inside* the RAID.
Maybe a crash-dump can be induced somehow. Maybe someone would get hold
of the HDD while the dump data is still on the swap partition because
the OS has not booted again, which would otherwise normally migrate
that dump data over to the filesystem.
This is an extreme consideration though as a comprehensive motivation
for a choice it appears to me to make all sense.
Thoughts, comments?
I would probably interpret no comments as that the SWAP should indeed
be located inside the RAID for this said reason.
Thanks,
Tinker
Tinker
2018-02-22 05:04:35 UTC
Permalink
Raw Message
Hi,

Thanks for your comments.

(Marcus, you meant only this 2015-05 thread right?
https://marc.info/?t=143181498300001 )


I think I like to keep dumps enabled also on a production machine. Even
if it's incredibly rare, it is possible for a production machine to
crash, and the dump could be instructive.

(For a production machine with dumps disabled, indeed the default swap
crypto is sufficient, and indeed using swap in softraid is
cryptographically redundant.)

I realize the thread subject is not optimal ("SWAP should always be
inside crypto softRAID, right? (For OS crash dump data to be
encrypted.)".

Here is the updated subject and query:


"If I want to have crash dumps enabled, while enjoying the crypto
softraid's physical data theft protection for all data, THEN my SWAP
partition(s) should be inside the softraid, right?".


Thoughts, criticism?

Thanks,
Tinker

On February 9, 2018 6:07 PM, Marcus MERIGHI <mcmer-***@tor.at> wrote:
..
Post by Marcus MERIGHI
"swap on encrypted softraid, performance penalty"
https://marc.info/?l=openbsd-misc&m=143184355522545
https://marc.info/?l=openbsd-misc&m=143206067713324
Thanks kevin i missed the dump part... agree with disable dump on prod
..enable on dev
On Thu, 8 Feb 2018 19:39:39 +0000
Post by Tom Smyth
Afaik swap is encrypted anyway on OpenBSD
It is with a random key which is actually more secure than the softraid
key.
However to the OPS question relating to dumps.
I believe the answer is that dumps are helpful and OpenBSD is a
developer system primarily but you should disable them with sysctl for
production or if you have concerns.
Afaik swap is encrypted anyway on OpenBSD
On February 9, 2018 3:30 AM, trondd <***@kagu-tsuchi.com> wrote:
..
Post by Marcus MERIGHI
Assuming you are doing full disk encryption otherwise, put swap inside the
softraid disk. The kernel is hardcoded to look on the boot disk to save
dumps. If swap was is on sd0 but you decrypt a partition as sd1 and boot
from that, swap is no longer on the same disk.
Unless you override with config(8)
Tim.
Marcus MERIGHI
2018-03-11 10:07:37 UTC
Permalink
Raw Message
Post by Tinker
(Marcus, you meant only this 2015-05 thread right?
https://marc.info/?t=143181498300001 )
yes, I messed the links up! Thanks for the correction.
Post by Tinker
I think I like to keep dumps enabled also on a production machine. Even
if it's incredibly rare, it is possible for a production machine to
crash, and the dump could be instructive.
(For a production machine with dumps disabled, indeed the default swap
crypto is sufficient, and indeed using swap in softraid is
cryptographically redundant.)
I realize the thread subject is not optimal ("SWAP should always be
inside crypto softRAID, right? (For OS crash dump data to be
encrypted.)".
"If I want to have crash dumps enabled, while enjoying the crypto
softraid's physical data theft protection for all data, THEN my SWAP
partition(s) should be inside the softraid, right?".
From the thread you cited above...
https://marc.info/?l=openbsd-misc&m=143185991125110&w=2
stsp@:
Keeping swap on the same disk as the root filesystem has some
advantages. For historical reasons the system expects this in various
places. More things (such as hibernate) will work out of the box this
way.

So if you have Full Disk Encryption (FDE) then your swap device should
be inside the encrypted disk, yes.

And, keep swap encryption *on*, although it's on a softraid(4) encrypted
device, according to tedu@:
https://marc.info/?l=openbsd-misc&m=143206067713324&w=2
[...] to the contrary, uvm swap encrypt does a better job of expiring
keys and making old data unrecoverable.

Yet another point: consider abandoning suspend/hibernation with FDE!

Marcus
Post by Tinker
..
Post by Marcus MERIGHI
"swap on encrypted softraid, performance penalty"
https://marc.info/?l=openbsd-misc&m=143184355522545
https://marc.info/?l=openbsd-misc&m=143206067713324
Thanks kevin i missed the dump part... agree with disable dump on prod
..enable on dev
On Thu, 8 Feb 2018 19:39:39 +0000
Post by Tom Smyth
Afaik swap is encrypted anyway on OpenBSD
It is with a random key which is actually more secure than the softraid
key.
However to the OPS question relating to dumps.
I believe the answer is that dumps are helpful and OpenBSD is a
developer system primarily but you should disable them with sysctl for
production or if you have concerns.
Afaik swap is encrypted anyway on OpenBSD
..
Post by Marcus MERIGHI
Assuming you are doing full disk encryption otherwise, put swap inside the
softraid disk. The kernel is hardcoded to look on the boot disk to save
dumps. If swap was is on sd0 but you decrypt a partition as sd1 and boot
from that, swap is no longer on the same disk.
Unless you override with config(8)
Tim.
Loading...