Red Hat Bugzilla – Bug 496753
Encrypted swap requires a password
Last modified: 2009-06-09 10:20:18 EDT
Description of problem:
During the installation of a system with the Fedora 11 Beta I selected that swap should be encrypted. The installer prompted me with a password dialogue box, but did not give me the option to select random.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install Fedora
2. Select modify existing disk layout
3. Select encrypt this partition for the swap partition
The system forces you to supply a password or disable encryption on the partition.
A checkbox for random would be nice. If the installer checked that the partition in question was swap it could assume random password by default, and allow the user to uncheck it to supply a fixed password for the swap partition.
We don't really see this as a high priority, so it's unlikely to get any attention from us in the next release or two. If you have a patch to add this support, we would be happy to review it for possible inclusion.
I can't see how this provides anything really beneficial. Unless we're just storing the password on the disk, which is effectively as bad as not encrypting it, we're better off just using the same passphrase as encrypted root.
Umm, here is the crypttab entry I want for swap...
luks-swap /dev/mapper/nvidia_cebgegbdp3 /dev/urandom swap,cipher=aes-cbc-essiv:sha256
I want swap to have a randomly generate password each and every time I use it. It would be very nice to be able to set this up in Anaconda.
I would also like this for /tmp, though I've actually just gone to using tmpfs for /tmp since I would also like a special filesystem for /tmp in which the concept of syncing to disk is completely ignored since for /tmp it's not relevant.
I don't like the 'CLOSED DEFERRED' designation since I want to see when it _is_ implemented and that requires I hunt through the bug list periodically looking for the new bug for it so I can track.
(In reply to comment #2)
> I can't see how this provides anything really beneficial. Unless we're just
> storing the password on the disk, which is effectively as bad as not encrypting
> it, we're better off just using the same passphrase as encrypted root.
The idea is to use a random key with swap each and every time you boot, which has the effect of wiping the swap partition on reboot.
> The idea is to use a random key with swap each and every time you boot, which
> has the effect of wiping the swap partition on reboot.
This plan breaks hibernation completely, so it really isn't something we should be doing.
(In reply to comment #5)
> This plan breaks hibernation completely, so it really isn't something we should
> be doing.
So, because some people want hibernation, you are going to leave a feature I find indispensable for the security such that I have to hand edit configuration files and do a bunch of fiddling after I boot my newly installed system. What if I want this as a corporate policy when installing onto new machines?
And with that reasoning, I really hope someone doesn't decide to randomly edit /etc/rc.sysinit so that crypttab entry will no longer work because it breaks hibernation.
Shouldn't I be the one to choose where to make the security vs. convenience tradeoff?