Sunday, December 31, 2006

Encrypted swap -> No hibernate

Hans asked about if it is meaningless to do encryption if you just suspend/hibernate your laptop. When I answered that it did not crossed my mind that hibernation will not work, but if you think it is quit obvious. The swap is encrypted with a random key, which is generated each time the computer boot. The memory information at hibernation is stored on the swap partition and the computer will not remember what key the information was encrypted with. Therefore is it not possible to wake your computer up from the hibernation, since you do not have the key.

Okay, too bad. But if we skip to encrypt the swap, what will happened then. Is my computer safe? The thief, Bill, can either boot the computer from a liveCD or removes the hard disk from the laptop and put it in in another computer. So password on BIOS and GRUB is not enough. Bill can not access you home directory since it is encrypted. If Bill is very interested in your information he can probably break the encryption with some super-computers. Is your information that interesting? If yes, do not store it on a laptop or a computer connected to the Internet.

If Bill is more skilled in computers, he knows that the swap might be interesting. Let us do an experiment on your own computer. Can we find our own password in the data stored on the swap partition? As root, run:
grep yoursecretpassword /dev/yourswap
You can find the name of your swap partition in /etc/fstab.
When I did this on my computer I got:
Binary file /dev/myswap matches

This means that my password can be found by Bill. But how will Bill know what part of the data on the swap is a useful password. He can extract all strings from the swap that is longer than six characters:
strings -n 6 /dev/myswap
I got less than 2 000 000 possible passwords on my computer. If I remove all duplicates, I am down to 500 000. This output can then be used to crack the /etc/shadow-file in no time. When /etc/shadow is cracked Bill has access to your home directory.

I will not tell you how to crack the shadow-file. If you do not know, you probably should not know it either. The important here is to show how easy it is to find your password.

Back to the question from Hans, is it meaningless to encrypt your home partition if you do not encrypt your swap. All is about to estimate risks and probabilities. What is the chance that your computer is stolen? Will the thief just sell it to buy drugs? Will the buyer take a closer look on the computer or just install MS Windows on it? How much closer look will he take? Maybe he gives up when he finds out that home is encrypted, maybe not. How sensitive is the information?

The answers to all the questions are individual. But why not encrypt your home directory just for fun? It is so easy. It would not hurt.

Saturday, December 30, 2006

I am blogging about Ubuntu

Carthik wrote before Christmas a blog note searching for other people blogging about Ubuntu. Since I were just about to start this blog I read the results with extra interest. Now that I have written a few things about Ubuntu I think it is time to pingback. I hope my English is not too bad.

Securing your laptop

I assume that you store things on your laptop that you do not want other people to read. Especially, you may store important accounting information about your bank etc in cache files or config files. A laptop is also more probable to be stolen than a normal desktop machine. Therfore you may want to encrypt your home directory and swap partition. Ideally you encrypt everything except /boot.

There is a good how to in the Ubuntu wiki. It explains how to to things in a breath perspective. I followed those instructions and complemented with usages of pam_mount. The pam_mount module automatically mounts your encrypted home directory when you login and uses your password as the encryption key.

Encrypting the swap is straight forward from the wiki, therefore I will not write more about it here.

To encrypt your home directory you have to do some extra things, that may not be too easy to read from the wiki. I will try to point out things I think might need to be clarified.
I use LVM to handle my harddisk, so I created a logical volume (partition) for my user called magru:
sudo lvcreate -L 20G -n magru /dev/Ubuntu/
Change the value of -L to the size you want your home directory to be, I wanted 20 Gigabyte. The device node for my logical volume is /dev/mapper/Ubuntu-magru.

Run cryptsetup on this device node:
sudo cryptsetup -y create magru-crypt /dev/mapper/Ubuntu-magru
The command will ask you for a password, use the same password as for login. Otherwise pam_mount will not work. cryptsetup gives you a new device called /dev/mapper/magru-crypt.

Create a file system on your encrypted device. The how to uses reiserfs, but I prefers ext3:
sudo mkfs.ext3 /dev/mapper/magru-crypt
sudo tune2fs -c 0 -i 0 /dev/mapper/magru-crypt
I use tune2fs to configure my file system so I do not do any file system checks. checks on the file system is not necessary on ext3 since you have a journal.

Mount your encrypted filesystem under /mnt:
sudo mount /dev/mapper/magru-crypt /mnt

Copy everything in your home directory including hidden dot-files to /mnt. Then unmount /mnt.

Now we want that our home directory is automagically mounted when we logging in. First you have to install libpam-mount from universe using Synaptic.
Then add a line in /etc/security/pam_mount.conf below the comments about "Linux encrypted home directory examples, using dm_crypt" that look like this:
volume magru crypt - /dev/mapper/Ubuntu-magru /home/magru nodev,nosuid - -

Change magru to your own user name. Not that the path to the device shall be to the raw encrypted device, and not to the device you used above to mount under /mnt.

Remove all the files in your home directory under /home. Note that it is VERY good to have a backup, if something goes wrong. Verify that you are the owner of your home directory, GDM will otherwise complain.

Replace the word optional on the two last lines in your /etc/common-pammount to required. Add last in the two files /etc/pam.d/gdm and /etc/pam.d/login the line:
@include common-pammount

If you have an ssh-server installed, add the same line last in /etc/pam.d/ssh.

Some final notes

  • A draw back with pam_mount is that your home directory is not unmounted when you are logging out.
  • You are still vulnerable when you are logged in, or if some one succeed to get your password.
  • Some important information may be stored in /etc or in /var, and these are not encrypted. For instance ESSID and WEP-keys for wireless connection are stored in /etc, and if you accidentally enter your password instead of your user name the password will be stored in /var/log/auth.log.
  • If you think someone has got access to your password, change it.
  • Always handle your security updates properly.

Friday, December 29, 2006

New BIOS

Today, I did an upgraded of the BIOS in my laptop (MSI S271). I took a FreeDOS-image from the net and run dd to put it on a USB-memory-stick. I copied the unziped BIOS-files from MSI to the stick. Booted the laptop from the memory stick and run the BIOS update program.
It is important to take the BIOS for the right type of hard disk and to have the computer connected to the power net. (Do not run on the battery!)
Unfortunately, the problem with PXE-boot was not solved.

All hardwarecomponents I have tested so far had worked without any configuration; wireless, sound, screen, touchpad, ethernet. Except that the screen resolution was not correct detected during the installation of Ubuntu Edgy. I have not tested firewire, bluetooth and the SD/MMC/MS-card reader yet.

I have identified some activities that I have to do, to get things working like I want:

  • encrypted home directory
  • encrypted swap
  • smoother switching between wireless and ethernet
  • synchronization of the home directory and some other directories

Thursday, December 28, 2006

New computer

I finally got my new notebook its a MSI S271 with 100GB disk and 1GB RAM. The best of all is that I did not have to pay for Windows. So I saved 1200 Swedish crowns (about $170).
I have started right away installing Ubuntu Edgy. I am doing the installation by PXE-boot the machine and download the files from the net. I had have some struggling in the beginning to get it to boot using PXE, but I hope that will be solved with a BIOS update. One interesting thing during installation is that the wireless network was found before the classical ethernet.

Wednesday, December 27, 2006

Music taging in Python

During the X-mas, I took a closer look in meta data tagging in music files using Python. There are modules to tag mp3, flac and ogg vorbis file, but each file format has its own module and each module has its own API. That's bad! Then I found a Python module called mutagen. Mutagen handles tagging for all the file formats above and some other too. Thats nice! If you are happy to only use some of those tags that are possible in MP3 files, you will have the same API for the three files. If you want to use all the tags in MP3, we are at least down to two instead of three different API:s.

Unfortunately I noticed that mutagen convert all tag names in ogg files to lower case. The recomendation from the xiph-people that had defined the ogg-vorbis standard is that tag names should be in upper case. I have mailed the mailing list for mutagen and hope that they will change the behavior according to the recommendations.

Sunday, December 24, 2006

What is this?

I have been using Linux since before 1.0 of the kernel. I have been using it at home, school and work. Actually, Linux is my main task at work to day. I am responsible for the Linux servers at the Swedish weather service, SMHI. At work we are mostly running Red Hat Enterprise Linux. But at home I am running Ubuntu since an early release candidate of Warty. Before that I ave been running Red Hat/Fedora, Slackware, Yggdrasil, Debian, Gentoo and Suse.

Booth me and my wife are running Linux on our desktop. I have an extra lab-machine, that I easy can change between different versions due to network boot. The server is also running Ubuntu with an addition of Xen. So the server is hosting four other servers:

  • One for internal file, printing, web etc.
  • One authentication and authorization server running MIT Kerberos and OpenLdap.
  • One DMZ server accessible from internet with web and mail.
  • Finally a lab server that I am using to develop a music jukebox together with some friends.
Okey, so why am I writing this and why in English. I have a blog in Swedish since half a year where I mostly writes about my house and things related to that. But I feel that I want to practice my English writing skills more and that it would be nice to write more about Linux and mainly Ubuntu, so here we are.