Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypt dom0 swap #79

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Encrypt dom0 swap #79

wants to merge 1 commit into from

Conversation

DemiMarie
Copy link
Contributor

This encrypts dom0 swap with a randomly generated key, which helps
prevent its contents from being recovered later.

@DemiMarie
Copy link
Contributor Author

Marking as draft because it is specific to the LVM install choice.

@rustybird rustybird mentioned this pull request Jan 2, 2022
Open
marmarek
marmarek requested changes Nov 21, 2024
View reviewed changes
Copy link
Member

@marmarek marmarek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just found out I never clicked "submit review" here. Good thing that github kept the pending comment for a few years...

system-config/99-qubes-cryptsetup.conf Outdated Show resolved Hide resolved
@DemiMarie
Encrypt dom0 swap
3780cdc 
This encrypts dom0 swap with a randomly generated key, which helps
prevent its contents from being recovered later.
marmarek
marmarek requested changes Nov 21, 2024
View reviewed changes
system-config/[email protected]
# Ensure that this unit comes after its backing device,
# and is shut down if its backing device is shut down.
After=dev-qubes_dom0-swap.device
BindsTo=dev-qubes_dom0-swap.device
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even in LVM setup, the VG name can be different, and LV name can be different too...
Previous version also had this issue, but now it's all over the place instead of just StartExec line.

Maybe it's possible to rely on generators (and maybe the default ones will be enough)? Like, setup backing device via /etc/crypttab, and then use /dev/mapper/swap as the actual swap (via /etc/fstab).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That’s absolutely fine, and it’s what I do on my local system. I have this line in /etc/crypttab:

swap /dev/qubes_dom0/swap /dev/urandom plain,swap,cipher=aes-xts-plain64

And this in /etc/fstab (modulo padding whitespace):

/dev/mapper/swap none swap defaults 0 0

The reason that this PR does not take that approach is that these files are generated by Anaconda, which I have never touched before. I can try, though.

DemiMarie
DemiMarie commented Nov 21, 2024
View reviewed changes
Copy link
Contributor Author

@DemiMarie DemiMarie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is Anaconda the correct place to make this change? I’m really unsure how to make changes to /etc/fstab and /etc/crypttab.

system-config/[email protected]
# Ensure that this unit comes after its backing device,
# and is shut down if its backing device is shut down.
After=dev-qubes_dom0-swap.device
BindsTo=dev-qubes_dom0-swap.device
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That’s absolutely fine, and it’s what I do on my local system. I have this line in /etc/crypttab:

swap /dev/qubes_dom0/swap /dev/urandom plain,swap,cipher=aes-xts-plain64

And this in /etc/fstab (modulo padding whitespace):

/dev/mapper/swap none swap defaults 0 0

The reason that this PR does not take that approach is that these files are generated by Anaconda, which I have never touched before. I can try, though.

@marmarek
Copy link
Member

Is Anaconda the correct place to make this change? I’m really unsure how to make changes to /etc/fstab and /etc/crypttab.

Yes. And the upgrade tool (QubesOS/qubes-issues#9317). Sadly, Anaconda is quite complicated as storage goes, with logic split between anaconda itself and "blivet" package... But maybe it has encrypted swap support somewhere there already?
For convenience I just pushed my working branch for anaconda (upstream version + patches from our repo applied): https://github.com/marmarek/anaconda/tree/qubes-f41 (note - subject to force-pushes)
@fepitre do you have any hints? I think you touched storage in anaconda most recently...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marmarek marmarek marmarek requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@DemiMarie @marmarek