Conversation
|
Marking as draft because it is specific to the LVM install choice. |
marmarek
left a comment
marmarek
left a comment
There was a problem hiding this comment.
I just found out I never clicked "submit review" here. Good thing that github kept the pending comment for a few years...
This encrypts dom0 swap with a randomly generated key, which helps prevent its contents from being recovered later.
DemiMarie
force-pushed
the
dom0-encrypted-swap
branch
from
5252dca to
3780cdc
Compare
| # Ensure that this unit comes after its backing device, | ||
| # and is shut down if its backing device is shut down. | ||
| After=dev-qubes_dom0-swap.device | ||
| BindsTo=dev-qubes_dom0-swap.device |
There was a problem hiding this comment.
Even in LVM setup, the VG name can be different, and LV name can be different too...
Previous version also had this issue, but now it's all over the place instead of just StartExec line.
Maybe it's possible to rely on generators (and maybe the default ones will be enough)? Like, setup backing device via /etc/crypttab, and then use /dev/mapper/swap as the actual swap (via /etc/fstab).
There was a problem hiding this comment.
That’s absolutely fine, and it’s what I do on my local system. I have this line in /etc/crypttab:
swap /dev/qubes_dom0/swap /dev/urandom plain,swap,cipher=aes-xts-plain64
And this in /etc/fstab (modulo padding whitespace):
/dev/mapper/swap none swap defaults 0 0
The reason that this PR does not take that approach is that these files are generated by Anaconda, which I have never touched before. I can try, though.
DemiMarie
left a comment
DemiMarie
left a comment
There was a problem hiding this comment.
Is Anaconda the correct place to make this change? I’m really unsure how to make changes to /etc/fstab and /etc/crypttab.
| # Ensure that this unit comes after its backing device, | ||
| # and is shut down if its backing device is shut down. | ||
| After=dev-qubes_dom0-swap.device | ||
| BindsTo=dev-qubes_dom0-swap.device |
There was a problem hiding this comment.
That’s absolutely fine, and it’s what I do on my local system. I have this line in /etc/crypttab:
swap /dev/qubes_dom0/swap /dev/urandom plain,swap,cipher=aes-xts-plain64
And this in /etc/fstab (modulo padding whitespace):
/dev/mapper/swap none swap defaults 0 0
The reason that this PR does not take that approach is that these files are generated by Anaconda, which I have never touched before. I can try, though.
Yes. And the upgrade tool (QubesOS/qubes-issues#9317). Sadly, Anaconda is quite complicated as storage goes, with logic split between anaconda itself and "blivet" package... But maybe it has encrypted swap support somewhere there already? |
2 participants
This encrypts dom0 swap with a randomly generated key, which helps
prevent its contents from being recovered later.