RHEL - Unable to get encrypted swap working

Posted on

Hi,

I'm trying to get the instructions for swap encryption working:
https://access.redhat.com/solutions/1121603

Not sure if this is relevant but I'm running an instance of Redhat 7.1 on a Hyper-V VM.

Before making any changes, the system setup was as follows:

        [root@dsslinux71 ~]# fdisk -l

        Disk /dev/sda: 136.4 GB, 136365211648 bytes, 266338304 sectors
        Units = sectors of 1 * 512 = 512 bytes
        Sector size (logical/physical): 512 bytes / 512 bytes
        I/O size (minimum/optimal): 512 bytes / 512 bytes
        Disk label type: dos
        Disk identifier: 0x00095038

           Device Boot      Start         End      Blocks   Id  System
        /dev/sda1   *        2048     1026047      512000   83  Linux
        /dev/sda2         1026048   266338303   132656128   8e  Linux LVM

        Disk /dev/mapper/rhel_bwlinuxclient-root: 53.7 GB, 53687091200 bytes, 104857600 sectors
        Units = sectors of 1 * 512 = 512 bytes
        Sector size (logical/physical): 512 bytes / 512 bytes
        I/O size (minimum/optimal): 512 bytes / 512 bytes


        Disk /dev/mapper/rhel_bwlinuxclient-swap: 3087 MB, 3087007744 bytes, 6029312 sectors
        Units = sectors of 1 * 512 = 512 bytes
        Sector size (logical/physical): 512 bytes / 512 bytes
        I/O size (minimum/optimal): 512 bytes / 512 bytes


        Disk /dev/mapper/rhel_bwlinuxclient-home: 79.0 GB, 78995521536 bytes, 154288128 sectors
        Units = sectors of 1 * 512 = 512 bytes
        Sector size (logical/physical): 512 bytes / 512 bytes
        I/O size (minimum/optimal): 512 bytes / 512 bytes



        [root@dsslinux71 ~]# lsblk
        NAME                        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINT
        sda                           8:0    0   127G  0 disk
        ââsda1                        8:1    0   500M  0 part /boot
        ââsda2                        8:2    0 126.5G  0 part
          âârhel_bwlinuxclient-root 253:0    0    50G  0 lvm  /
          âârhel_bwlinuxclient-swap 253:1    0   2.9G  0 lvm  [SWAP]
          âârhel_bwlinuxclient-home 253:2    0  73.6G  0 lvm  /home
        sr0                          11:0    1  1024M  0 rom


        [root@dsslinux71 ~]# swapon -s
        Filename                                Type            Size    Used    Priority
        /dev/dm-1                               partition       3014652 0       -1
        [root@dsslinux71 ~]#


        [root@dsslinux71 ~]# ls -l /dev/mapper
        total 0
        crw-------. 1 root root 10, 236 Jan 17 13:40 control
        lrwxrwxrwx. 1 root root       7 Jan 17 13:40 rhel_bwlinuxclient-home -> ../dm-2
        lrwxrwxrwx. 1 root root       7 Jan 17 13:40 rhel_bwlinuxclient-root -> ../dm-0
        lrwxrwxrwx. 1 root root       7 Jan 17 13:40 rhel_bwlinuxclient-swap -> ../dm-1


        root@dsslinux71 ~]# cat /etc/fstab
        #
        # /etc/fstab
        # Created by anaconda on Wed Nov 23 12:07:29 2016
        #
        # Accessible filesystems, by reference, are maintained under '/dev/disk'
        # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
        #
        /dev/mapper/rhel_bwlinuxclient-root /                       xfs     defaults        0 0
        UUID=85cecc51-2396-4cc5-9203-3592d7a621c1 /boot                   xfs     defaults        0 0
        /dev/mapper/rhel_bwlinuxclient-home /home                   xfs     defaults        0 0
        /dev/mapper/rhel_bwlinuxclient-swap swap                    swap    defaults        0 0
        [root@dsslinux71 ~]#


        /etc/crypttab was empty

The steps I followed were as follows:
Step 1 - decide on device to use (referred to as DEV in instructions)
DEV = /dev/dm-1 (as it already exists)

Step 2 - Choose a name for the dm-device which will offer a decrypted view of DEV
(referred to in instructions as /dev/mapper/MAPPING)
MAPPING = rhel_bwlinuxclient-swap (as it already exists)

Step 3 - Add a new entry to /etc/crypttab in the form " MAPPING DEV /dev/urandom swap "
echo "rhel_bwlinuxclient-swap /dev/mapper/rhel_bwlinuxclient-swap /dev/urandom swap" >>/etc/crypttab

Step 4 - Add a new entry to /etc/fstab to activate the swap device /dev/mapper/MAPPING
(entry already in /etc/fstab for existing swap file, see above)

Step 5 - Reboot to activate swap

On reboot, the UI prompts for a password during boot phase:
"Please enter passphrase for disk rhel_bwlinuxclient-swap on swap!"

Using the enter key allows the boot sequence to continue, it shouldn't be happening as per the instructions.

I also tried using 'swapoff -a' to turn off swap assignment before reboot,
the OS 're-discovered' the old one then prompted for a password

I thought that the '/dev/urandom' attribute of the entry added to /etc/crypttab
was supposed to randomly generate a password in the background and use that,
instead of prompting the user for a password.

I know that the instructions indicate not to use /dev/sda for encrypted swap,
but the reason given is that doing so would be less secure,
not that it would not work at all.
the values /dev/sda1 and /dev/sda2 have not changed across a dozen reboots

GH

Responses