Sunday, December 31, 2006

Encrypted swap -> No hibernate

Hans asked about if it is meaningless to do encryption if you just suspend/hibernate your laptop. When I answered that it did not crossed my mind that hibernation will not work, but if you think it is quit obvious. The swap is encrypted with a random key, which is generated each time the computer boot. The memory information at hibernation is stored on the swap partition and the computer will not remember what key the information was encrypted with. Therefore is it not possible to wake your computer up from the hibernation, since you do not have the key.

Okay, too bad. But if we skip to encrypt the swap, what will happened then. Is my computer safe? The thief, Bill, can either boot the computer from a liveCD or removes the hard disk from the laptop and put it in in another computer. So password on BIOS and GRUB is not enough. Bill can not access you home directory since it is encrypted. If Bill is very interested in your information he can probably break the encryption with some super-computers. Is your information that interesting? If yes, do not store it on a laptop or a computer connected to the Internet.

If Bill is more skilled in computers, he knows that the swap might be interesting. Let us do an experiment on your own computer. Can we find our own password in the data stored on the swap partition? As root, run:
grep yoursecretpassword /dev/yourswap
You can find the name of your swap partition in /etc/fstab.
When I did this on my computer I got:
Binary file /dev/myswap matches

This means that my password can be found by Bill. But how will Bill know what part of the data on the swap is a useful password. He can extract all strings from the swap that is longer than six characters:
strings -n 6 /dev/myswap
I got less than 2 000 000 possible passwords on my computer. If I remove all duplicates, I am down to 500 000. This output can then be used to crack the /etc/shadow-file in no time. When /etc/shadow is cracked Bill has access to your home directory.

I will not tell you how to crack the shadow-file. If you do not know, you probably should not know it either. The important here is to show how easy it is to find your password.

Back to the question from Hans, is it meaningless to encrypt your home partition if you do not encrypt your swap. All is about to estimate risks and probabilities. What is the chance that your computer is stolen? Will the thief just sell it to buy drugs? Will the buyer take a closer look on the computer or just install MS Windows on it? How much closer look will he take? Maybe he gives up when he finds out that home is encrypted, maybe not. How sensitive is the information?

The answers to all the questions are individual. But why not encrypt your home directory just for fun? It is so easy. It would not hurt.

1 comment:

Hans Persson said...

I think the vast majority of stolen laptops get reinstalled with a bootleg copy of XP immediately (unless they happen to boot into XP already, which mine doesn't).

In my opinion, the gain of encrypting is not worth the loss of suspending.