Encrypted Swap in OpenSolaris 2009.06
By gbrunett on Jun 08, 2009
The problem is that the encrypted swap portion of this ARC case was never completed as it is expected that the ZFS encryption project will provide this functionality when it integrates. Unfortunately, ZFS encryption is not here today, so until it is - we can enable a workaround using LOFI encryption. There are some "issues" to consider when using LOFI encryption that Darren Moffat covers well in his post on this subject.
So, without further ado, let's get to the particulars. To enable encrypted swap in OpenSolaris 2009.06, you need only follow the following steps.
Note that the following instructions assume that privileged operations will be executed by someone with administrative access (directly or via Solaris role-based access control). For the examples below, no changes were made to the default RBAC configuration. The commands as written were executed as the user created during the installation process.
- Prevent the system from automatically adding swap devices or files. This is actually a little trickier than it sounds since the /sbin/swapadd program, called during the boot process, will attempt to use anything defined as swap that is not commented. I would prefer not to comment the files as it would then be harder to tell the difference between those we wanted to use for encrypted swap and those that were commented for some other reason. To work around this issue, you simply must edit the /etc/vfstab file and define the swap device or file as something other than "swap". For the scripts discussed below, we will use the key "enc-swap". Here is an example from /etc/vfstab:
$ grep enc-swap /etc/vfstab /dev/zvol/dsk/rpool/swap - - enc-swap - no - $ swap -l No swap devices configured
- Remove the existing swap devices or files. It is likely that your system will have already added the swap devices or files to the system. To determine if this is the case, simply use the following command:
$ swap -l swapfile dev swaplo blocks free /dev/zvol/dsk/rpool/swap 182,2 8 1226744 1226744
If there are devices or files already configured, remove them using the following command:
$ pfexec swap -d /dev/zvol/dsk/rpool/swap $ swap -l No swap devices configured
If swap is in use, you may need to reboot you system in order to remove the device at this point. Note that the previous step (where the file system type was changed to enc-swap) will ensure that the device or file is not used upon boot.)
- Add the encrypted swap SMF service. Here is where the magic lives. You will need to download the archive containing the encrypted swap SMF service manifest and method files. Note that these files are user contributed and as such are not officially a part of the OpenSolaris release nor are they officially supported by Sun. If you are ok with these terms, you should now download the archive and install the files using the following commands:
$ wget -qnd http://mediacast.sun.com/users/gbrunette/media/smf-encrypted-swap-v0.1.tar.bz2 $ bzip2 -d -c ./smf-encrypted-swap-v0.1.tar.bz2 | tar xf - $ cd ./smf-encrypted-swap $ pfexec ./install.sh $ svccfg import /var/svc/manifest/site/isc-enc-swap.xml
The install.sh script is used to copy this service's SMF manifest and method scripts into the proper locations as well as set correct ownership and permissions of these files.
- Verify the service is running and encrypted swap is configured. The last step is to verify that everything is working as expected. Use the following commands to verify the service was properly installed and enabled:
$ svcs isc-encrypted-swap STATE STIME FMRI online 14:30:10 svc:/system/isc-encrypted-swap:default
Use the following commands to verify that encrypted swap is in use:
$ lofiadm Block Device File Options /dev/lofi/1 /devices/pseudo/zfs@0:2c Encrypted $ swap -l swapfile dev swaplo blocks free /dev/lofi/1 144,1 8 1226728 1226728
The last two commands show that an encrypted block device was created at /dev/lofi/1 and that the device is currently in use as a swap device. It should be noted that no password, passphrase or other credential was given when the encryption was configured. This is because this service is configured to use an ephemeral key. The key is not stored on the system and is lost when the system is restarted. Upon each reboot, a new encrypted block device with a new ephemeral key will be used to configure encrypted swap.
Note that the examples above have shown the service with a single swap device, but the SMF service has been written to support multiple swap devices or files. For example, a secondary swap file could be created using the following steps:
$ pfexec zfs create -V 1G rpool/export/swapfile $ pfexec vi /etc/vfstab [add the new entry for rpool/export/swapfile as verified in the next step] $ grep enc-swap /etc/vfstab /dev/zvol/dsk/rpool/swap - - enc-swap - no - /dev/zvol/dsk/rpoo/export/swapfile - - enc-swap - no - $ svcadm restart isc-encrypted-swap $ lofiadm Block Device File Options /dev/lofi/1 /devices/pseudo/zfs@0:2c Encrypted /dev/lofi/2 /devices/pseudo/zfs@0:3c Encrypted $ swap -l swapfile dev swaplo blocks free /dev/lofi/1 144,1 8 1226728 1226728 /dev/lofi/2 144,2 8 2097128 2097128
There you have it! Enabling encrypted swap in OpenSolaris 2009.06 is as easy as following these few simple steps. It is worth reiterating that this solution is just a temporary workaround. Once ZFS encryption is available, it should be used instead of this approach. In the meantime, however, if you are interested in enabling encrypted swap on your OpenSolaris 2009.06 systems, give this model at try and please be sure to send along your feedback!
P.S. Some of you may be wondering why the SMF service and associated files are labeled with an ISC prefix? The answer is simple. They were developed and are being used as part of the Immutable Service Container project! Look for more information and materials from this project in the near future!