Encrypting your /tmp partition

In my last post I explained how to encrypt the SWAP partition. Today I'm going to show how to encrypt the /tmp partition. First of all it is necessary to install the cryptsetup tool.

apt-get install cryptsetup

Let us assume that /dev/sda7 should become our encrypted /tmp partition. We will start and write a lot of random data into this partition. This will protect against some kind of cryptoanalysis attacks.

dd if=/dev/urandom of=/dev/sda7

Depending on the size of your /tmp partition you should go and drink one or more coffees. This step will take some time.

Next we setup the cryptography device using cryptsetup:

cryptsetup --key-file /dev/urandom --key-size 128 create ctmp /dev/hda7

Finnaly we modify /etc/crypttab and /etc/fstab:

/etc/crypttab:
ctmp /dev/sda7 /dev/urandom tmp,chiper=aes-cbc-essiv:sha256,size=128,hash=ripemd160

/etc/fstab:
/dev/mapper/ctmp none ext2 nodev,nosuid 0 2

Now restart your computer and your /tmp partition should be encrypted.

Encrypting your SWAP partition

Today I started playing with file system encryption. Mostly all people are aware of the necessity of encrypting their data partitions. But there are some simple side channel attacks to avoid this security feature.

Many applications write temporary data into the /tmp directory. So there is a high chance that an attacker can find secret information simply by looking into /tmp. Another possibility is grepping the swap partition for secret information (maybe by using a linux live cd. Otherwise the data would be overwritten during the boot sequence).

I will show how simple it is to fend such an side channel attack on the swap partition. Maybe I will write a post about encryption of data and /tmp partitions in the future, but at the moment my solution isn't as perfect as it should be and it still needs to be optimized.

Now, let's start encrypting the swap partition. We assume that your swap partition is /dev/sda3. Please fit this to your systems configuration otherwise you can loose some data.

At the first, you have to install the necessary deb packages:

apt-get install cryptsetup

Next edit the file /etc/crypttab:

cryptoswap /dev/sda3 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=128,hash=ripemd160

Now remove the old entry for the swap partition from /etc/fstab and insert the following:

/dev/mapper/cryptoswap none swap sw 0 0

Thats all. Now reboot your system and in the future your swap partition should be encrypted.

OpenSSH Visual Host Key

The new OpenSSH 5.1p1 offers a new feature called visual host key. The idea of this feature is that our brain is better in remembering images than in remembering text. So this new feature tries to visualize the host key to make it more appreciable to our brain.

To enable this feature simply add the following lines to your ~/.ssh/config:

Host *
VisualHostKey yes