Encrypting /var/tmp & swap in Solaris 11 Express

As some readers might remember from previous posts it isn't possible in Solaris 11 Express to boot from an encrypted ZFS dataset.  However it is possible to have encrypted swap space and thus (by default) an encrypted /tmp.  That still leaves /var/tmp unencrypted

First lets look at swap space encryption.  That is as simple as putting the word "encrypted" into the mount options field of /etc/vfstab for the swap ZVOL.  If swap is a ZVOL then ZFS encryption will be used, if swap is a raw disk slice or file then lofi will be interposed between the device/file using a randomly generated key.  That is a fully supported solution in Solaris 11 Express implemented by the swapadd command.

For encrypting /var/tmp we need to beyond the provided services and the following (unsupported) method takes its lead from what I did for swapadd and applies it to /var/tmp.  Note however that this assumes that nothing in /var/tmp should be preserved on boot and won't even be readable from another boot environment, so if you use this don't put stuff into /var/tmp you want to get access to after a reboot.

This takes advantage of the fact that in SMF we can place dependencies onto other services without modifying them.  So while the following makes some basic assumptions about the Solaris ZFS datasets layout it doesn't require modifying any existing binaries or configuration files.

We create a new service svc:/site/system/filesystem/tmp:default this service will create an encrypted dataset for /var/tmp using the manifest and method script that follows:


<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<!--

 CDDL HEADER START

 The contents of this file are subject to the terms of the
 Common Development and Distribution License (the "License").
 You may not use this file except in compliance with the License.

 You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 or http://www.opensolaris.org/os/licensing.
 See the License for the specific language governing permissions
 and limitations under the License.

 When distributing Covered Code, include this CDDL HEADER in each
 file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 If applicable, add the following below this CDDL HEADER, with the
 fields enclosed by brackets "[]" replaced with your own identifying
 information: Portions Copyright [yyyy] [name of copyright owner]

 CDDL HEADER END

 Copyright (c) 2011, Oracle and/or its affiliates. All rights revserved.

-->


<service_bundle type='manifest' name='darrenm:etmp'>

<service
        name='site/system/filesystem/tmp'
        type='service'
        version='1'>

        <create_default_instance enabled='true' />

        <single_instance />

        <dependency
                name='cryptosvc'
                grouping='require_all'
                type='service'
                restart_on='none'>
                <service_fmri value='svc:/system/cryptosvc' />
        </dependency>

        <dependent
                name='var-tmp'
                grouping='optional_all'
                restart_on='none'>
                <service_fmri value='svc:/system/filesystem/minimal' />
        </dependent>


        <exec_method
                type='method'
                name='start'
                exec='/lib/svc/method/site-etmp'
                timeout_seconds='30' />

        <exec_method
                type='method'
                name='stop'
                exec=':true'
                timeout_seconds='1' />

        <property_group name='startd' type='framework'>
                <propval name='duration' type='astring' value='transient' />
        </property_group>

</service>

</service_bundle>


#!/usr/sbin/sh
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
#
# /lib/svc/method/site-etmp

zfs destroy rpool/tmp > /dev/null 2>&1
zfs create -o mountpoint=/var/tmp -o encryption=on -o keysource=raw,file:///dev/random rpool/tmp
chmod 1777 /var/tmp

exit 0

On reboot what will happen is that a new dataset for /var/tmp will be created.   It would be possible to have a more sophisticated method script that doesn't use a hardcoded dataset name of root/tmp but this seems sufficient for now.  It will look something like this:

darrenm-pc:pts/1$ cd /var/tmp
darrenm-pc:pts/1$ df -hl .
Filesystem             Size   Used  Available Capacity  Mounted on
rpool/tmp              113G    79K        77G     1%    /var/tmp
darrenm-pc:pts/1$ ls -ld .
drwxrwxrwt   5 root     root           5 May 10 14:39 ./
darrenm-pc:pts/1$ zfs get encryption,keysource,keystatus rpool/tmp
NAME       PROPERTY    VALUE                   SOURCE
rpool/tmp  encryption  on                      local
rpool/tmp  keysource   raw,file:///dev/random  local
rpool/tmp  keystatus   available               -

 
  

        
    
Comments:

Before you enable this be sure to empty /var/tmp so that the mount does not complain about it containing data.

Posted by Chris Gerhard on May 11, 2011 at 06:46 AM BST #

Since /var/tmp is being thrown away at each reboot you may as well set sync=disabled on the dataset to get that little bit more performance: root@bike:~# diff /tmp/site-etmp /lib/svc/method/site-etmp 27c27,30 < zfs create -o mountpoint=/var/tmp -o encryption=on -o keysource=raw,file:///dev/random rpool/tmp --- > zfs create -o mountpoint=/var/tmp \ > -o sync=disabled \ > -o encryption=on \ > -o keysource=raw,file:///dev/random rpool/tmp root@bike:~#

Posted by Chris Gerhard on May 16, 2011 at 02:04 AM BST #

Hi,

Although encrypting the /tmp worked well with Solaris 11 Express, I encounter a problem (a bug?) which prevents the recreation of the rpool/swap dataset at each boot, leaving the system without a SWAP device configured. The problem seems to be related to the fact that the swap command sets (directly, or indirectly) some properties of the dataset during the addition of the SWAP device, in particular the encryption property to 'aes-128-ctr', which is unfortunately not recognized by ZFS as a valid encryption algorithm. This leads the system to destroy the rpool/swap dataset each time it is booting, but without be able to recreate it... and thus with no SWAP device available for use.

Is this a known problem? Is there a workaround for this problem on Solaris 11 EA (hope this will be fixed in Solaris 11 GA)?

--
Best regards,
Julien Gabel.

Posted by guest on October 05, 2011 at 09:11 AM BST #

The 'aes-128-ctr' issue is still unfixed in Solaris 11.1; they managed to dump all zfs destory/zfs create -o encryption=on commands from /usr/sbin/swapadd though; so setting swap to encrypted in /etc/vfstab will use lofi. Using zfs crypto on your swap zvol seems to be unsupported.

Posted by guest on May 07, 2013 at 09:07 PM BST #

The use of lofi for swap is intentional and you can not use the ZFS dataset encryption on a swap ZVOL at this time. This is a known issue.

Posted by Darren J Moffat on May 08, 2013 at 10:29 AM BST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

DarrenMoffat

Search

Categories
Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today