4

Years ago, it was my understanding that when installing Debian (or any Debian derivative such as Ubuntu) with FDE, swap was not encrypted despite using "full disk encryption", and that this presented a potential security risk due to sensitive information such as encryption keys potentially being stored outside of the LUKS container.

On my current Debian 13 install (for which I selected FDE during installation but did not do any other configuration regarding encryption), lsblk seems to show my swap space as being in the same LUKS container as root, but maybe I am interpreting it wrong.

nvme0n1                     259:0    0 238.5G  0 disk  
├─nvme0n1p1                 259:1    0   976M  0 part  /boot/efi
├─nvme0n1p2                 259:2    0   977M  0 part  /boot
└─nvme0n1p3                 259:3    0 236.6G  0 part  
  └─nvme0n1p3_crypt         253:0    0 236.6G  0 crypt 
    ├─debian--vg-root       253:1    0 230.8G  0 lvm   /
    └─debian--vg-swap_1     253:2    0   5.7G  0 lvm   [SWAP]

I did some web searches and could not find anything definitive. ChatGPT told me that in older releases from years ago, installing with FDE did not encrypt swap by default, but in recent years, installing with FDE does encrypt swap by default, so the security risk no longer exists with modern releases. However, I don't know how reliable ChatGPT is, and the "sources" it gave me said nothing about this.

Can anyone confirm or deny what ChatGPT told me (preferably with sources), and/or provide any other information? Is there any risk of swap storing anything in plaintext, such that if my computer was stolen while powered off, an attacker would be able to retreive a passphrase or key?

8
  • cryptsetup-team.pages.debian.net/cryptsetup/README.Debian.html try emailing the maintainer to confirm Commented yesterday
  • 2
    this site is not for validating ChatGPT answers Commented yesterday
  • 3
    he's not asking simply to validate a chatgpt answer, he's asking about encrypted swap and trying to make sense of supposed answers that are out there which he's not cool with. He's actually trying to follow the science. Commented yesterday
  • 1
    sounds like there's more interest in punishing the OP than reading and understanding his whole question. Commented yesterday
  • 2
    given the nature of things today it's good he explicitly said I'm working off this information from chatgpt is this true. In which case if he said I got this information from linux.die.net should we be saying this site is not for validating web pages? Commented yesterday

3 Answers 3

Reset to default
5

The Debian installation manual documents this, albeit indirectly. See the section on partitioning, in particular the section on guided partitioning. It says

When using LVM or encrypted LVM, the installer will create most partitions inside one big partition; the advantage of this method is that partitions inside this big partition can be resized relatively easily later. In the case of encrypted LVM the big partition will not be readable without knowing a special key phrase, thus providing extra security of your (personal) data.

and further down,

The other partitions, including the swap partition, will be created inside the LVM partition.

Your lsblk output confirms that you’re using LVM and that your swap partition is inside the encrypted LVM partition.

I don’t know how far back your “years ago” goes, but as far as I’m aware the above has always been true when using encrypted LVM.

Improve this answer
2
  • 3
    Would encrypting swap not mean "no hibernation"? Which could explain why swap was left out of it on some systems? Commented yesterday
  • 1
    It would, on systems with a locked down kernel (booting with Secure Boot). Support for encrypted swap on LVM was added in 2006 and released with Debian 4.0, so that wasn’t a concern then; I’m not aware of any specific handling for hibernation in the Debian installer since, so I don’t think it’s ever been a factor during Debian installation at least. The Ubuntu installer (or in other derivatives with their own installer) might act differently, I don’t know. Commented yesterday
2

In the lsblk output you show, partition 3 of NVMe namespace 0 is encrypted. On top of that partition is LVM, which splits the device into a further root device and a swap device. So yes, the swap is encrypted and an attacker would need access to your drive and the ability to break the password to obtain any information stored in it, just as they would for your root drive.

However, because the swap is encrypted with the same key that your root device is encrypted with, an attacker who is able to obtain the drive and key may be able to obtain data that you never would have expected would be stored on disk, such as private browsing data. Unless you use hibernation, you can improve security further by encrypting the swap device with a temporary, ephemeral key. To do this, you will want to remove the swap line from /etc/fstab and replace it with the following:

/dev/mapper/swap swap swap defaults 0 0

Then append the following to /etc/crypttab:

swap /dev/mapper/debian--vg-swap_1 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256,sector-size=4096

After a reboot, your system will be using an additional temporary, ephemeral key and even an attacker who obtains your encryption password will not be able to access your swap as plaintext, since the ephemeral key will have been lost as soon as the system shuts down. Because swap does not need to persist between boots (again, assuming you are not using hibernation, as it does put data in swap that must persist), it is completely acceptable for the key to be temporary.

Improve this answer
0

However, I don't know how reliable ChatGPT is

Sarah Conor smiles.

Is there any risk of swap storing anything in plaintext, such that if my computer was stolen while powered off, an attacker would be able to retrieve a passphrase or key?

Yes.

In "industry" and from guidelines such as https://www.cyber.mil/stigs/ there is a fundamental thing to protect data at rest. Which you can look up that phrase and basically means any data stored on disk when powered off that an attacker could exploit if they got the disk out of your computer to work on at a later date.

You can do full disk encr. (FDE) using an enterprise class self-encrypting-disks (SED's) for which everything partitioned on it would be encrypted and be covered. But your Ubuntu (correction: Debian) apparently is using word FDE loosely at install time to sell you on the idea of security, which is bad, because it's not "full disk". You can't LUKS software encrypt /boot and /boot/efi for example because then it's a chicken & egg problem and you can't boot; but it is acceptable per STIG's to not encrypt these 2 partitions because unless you go out of your way it would not have data at rest in them that is worth exploiting.

For disk SWAP which is disk storage used as reserve memory to hold [inactive?] kernel pages and also act as a buffer when RAM gets full, can contain sensitive data which is why it does and should full under the data at rest thing for data security in the overall sense. And it is said... or believed... that swap data could contain passwords and encryption keys that could be exploited. Which would inherently be in a plain-text format which simply means it can be gotten and readily exploited.

  • So yes you would want to encrypt the disk SWAP partition for security
  • in industry if disk SWAP is used and not encrypted, it is a finding and you get punished
  • easily rectified by using real FDE such as a SED vs a cheated method where the OS sells you on automatic FDE at install time but you have to go out of your way to say encrypt the disk SWAP partition when it does not by default
  • more easily rectified by not making a disk SWAP partition in the first place. You don't need it, if you think you do then you simply need more RAM and are living in denial. I do do older systems with RHEL-8 that don't support SED's so Ido LUKS2 at install time but since I have not done a disk SWAP partition in like 15 years I can't honestly tell you if RHEL supports choosing "encrypt partition" specifically for SWAP but pretty sure it does {per chatgpt}.
  • how likely is disk SWAP to contain such data like passwords and keys if you never come close to running out of RAM where everything gets swapped in and out of disk... would be the real question. But for running commercial software for which data in general is sensitive then yes that is likely to be in disk SWAP that could be exploited if accessed. The Kernel does not AES-256 encrypt data that it writes to disk swap, so it can be worked with if dd dumped and sifted through.
    • swap_digger.sh script (available on GitHub)
Improve this answer
9
  • 3
    Just curious — why do you write “swap” in all caps? Commented 23 hours ago
  • 3
    (1) It is not just believed that passwords or other sensitive data can be present in swap, it has been demonstrated that this occurs. (2) Many non-commercial software packages also process sensitive data. (3) Possible solution that is not mentioned is to create a swap file on an encrypted partition. (4) All systems have a limit to how much RAM can be installed - if the use case occasionally needs more than can be physically installed the they're not living in denial but working with realistic solution. (5) Idle sensitive processes may be paged out even when memory is still available. Commented 22 hours ago
  • 1
    If the OP has reasonable concerns about others accessing his computer, FDE with a consumer-grade disk is possible by placing /boot and /boot/efi on an USB key. Just make sure you have two identical keys and don't lose both of them. Commented 22 hours ago
  • 3
    A couple of things: (1) Modern Linux installs with FDE do encrypt swap. (2) Encrypted /boot is also possible, with GRUB decrypting the first part. (3) You call hardware FDE "real" and software FDE "cheated". But hardware manufacturers have a long track record of disastrous security faults in their implementation. Your confidence in hardware FDE over software FDE seems misplaced. (4) You need swap to do hibernation, that's not "denial". (5) OP is not using Ubuntu. Commented 20 hours ago
  • 1
    i don't know why i wrote swap in all caps, to stand out as being the partition type maybe. Commented 19 hours ago

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.