Adverts I have posted, and statistics

Come here looking for a free Science Fiction book by Edwin Hopper? click here to go to my Dad's site.

This page has been visited 1503 times, as of Thu Jul 24 18:27:45 BST 2008 . Your IP Address is given as 38.103.63.17; this appears to be page number 3 for you today.

Disclaimer


The Encrypted Windows Dual Boot Laptop howto

A PDF version of my encryption guides (with referenced links for convinience etc), which you may find much easier to read is available here.

Overview

This howto is for people using both 64 bit and 32 bit Windows XP (Professional and Home) and openSuSE 10.3. This can (I hope) be easily adapted for Vista and other Linux system users.

Once competed your system will have:

A shared home/ documents partition frees up a significant amount of disk space when compared with a standard dual boot installation.

Will my system be fully secure?

When switched off/ not logged in then yes, however you will still be vulnerable to Viruses, Trojans, Root Kits, internet hackers etc whilst the system is running, and so you should still install all the usual software (virus checker etc) and take all the usual precautions that you would for an unencrypted system.

How could information leak onto the unencrypted Windows Partition?

If the software you are using was written for Windows XP or later then it is very unlikely that any information will leak out using the system described in this howto.

All user data in newer software saved to the hard disk will goes into the users 'Documents and Settings' folder, which will be encrypted. Temporary information will be kept in RAM (and so be wiped at shutdown), or in the encrypted pagefile.

However software written for Dos/ Windows 95/ 98 etc may save temporary data to its own folder on the C drive, so when using legacy software check on temporary file settings, check to see what it saves to disk (maybe it won't be secure data) and see if you can install it on the encrypted drive.

Getting started

As it is likely that the system you are reading this on is the one you want to work on it's best to download all the required software now whilst the system is still working. Also print off a paper copy of this howto.

You will need

Checking the downloads

If you've had to make your own Windows XP install disk its best that you check it before formatting your current system. All I can suggest though is that you try it out on a spare HDD, computer or virtual machine (e.g. VMWare).

The openSuSE 10.3 CD and DVD images come with a media checking utility. Boot the system from the DVD or CD number 1 and select install from the first menu. Once the system is up (there will be a few more questions) there is a screen that you can use to check each CD/ DVD for errors (which often occur during download). If there are any don't install until you have a good copy.

For all the other software extract and install it on your current system (if you can, - you may not have an ext2/ 3 or swap partition to check swapfs or Ext2IFS on - other wise just check that the files extract ok and install what you can), if any errors occur download fresh copies.

Burn all the software and any personal files you want to keep to CD (or place on any other generic medium).

Determine C drive required size

Take a look at how much space has been used on your Windows C drive minus the documents and settings folder (which will go on a separate partition), this will help determine the appropriate size for the new C partition.

Make sure you have saved everything you want to keep; once the next step has been completed it will be very difficult to ever recover your data.

Wiping all data from the HDD

As everyone knows data on a hard drive isn't deleted until it is overwritten.

Even if you have an encrypted file system now it may be possible to look past that at what used to be on the drive, so if there is anything currently on your system you want secure its time to overwrite the whole hard disk.

This is the first step in erasing the old system, as you go through this howto you will gradually ensure that all data you currently hold unsecured on your computer is removed.

There are commercial and free packages to do this (Eraser for one) and I would recommend following the Eraser instructions to make a Boot Nuke Disk.

Another faster way to wipe the whole disk is using the openSuSE rescue system.

Boot openSuSE and from the first set of options select 'Rescue System'.

Once the system has loaded you will have to log-in. The username is 'root' (as in the superuser account), there is no password.

Once in you will have to determine what the name of the HDD is. Normally it is called /dev/hda (IDE) or /dev/sda (SATA/ SCSI), if you don't know make sure all USB etc drives are unplugged (to avoid confusing outputs) and run the following command: 

Rescue:~# fdisk -l

A printout of the result will look something like this: 

Disk /dev/sda: 80.0 GB, 80026361856 bytes
255 heads, 63 sectors/track, 9729 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x31c492b4

Device		Boot	Start	End	Blocks		Id	System
/dev/sda1	*	1	9729	80026361	7	HPFS/NTFS

In the above example the name of the main hard disk is /dev/sda (/dev/sda1 is a Windows partition on the disk). You are now going to overwrite the entire hard disk with zeros. This form of data deletion won't beat the CIA but will defeat most data thieves, and besides you are going to be doing more to erase your data as you go through. Make sure you have performed a full backup before executing the next command: 

Rescue:~# dd if=/dev/zero of=/dev/sda bs=4096

The option bs=4096 sets the block size for the overwrite. By setting this to an optimal size for your system you can speed up the erase, but if you don't know what you are doing then it's best to leave it at 4096, this size works for most modern systems.

The erase will probably take an hour or more for an 80 GB drive, and will destroy not only all data but the partition table too.

Installing Windows

You must install Windows before Linux; most XP installation disks will hang if there is a Linux partition table on the HDD.

The installation of Windows is the same as the default installation, but when you get to the section selecting partitions should you create a new one (NTFS full format not the quick one), and make sure it is the minimum necessary size you need.

As there will be no pagefile on the partition you can keep the new partition only two or three GB larger than the size you determined earlier.

As an example; an XP 32 bit installation with office 2003 (full plus Visio) and other standard packages like Acrobat Pro, requires a 10GB partition, of which 3.5GB will left over after installation of all packages.

Initial user accounts

If you have to (for example XP home) only install one user account (XP Pro users should just stick with the default Administrator account), remembering that this account will never be used so do not use your favourite account name.

At this time this account should NOT be password protected until we have disabled LM hashing (unless you fancy setting a 2nd password later on) and made a computer administrator. If you do set a password it should not be the password you intend to use to unlock your encrypted partitions.

Disable LM Hashing

Once the system has been installed log in and disable LM Hashing to secure your XP user passwords. For an explanation of why you should do this is go to one of the following sites (or do a Google search):

Click Start, click Run, type regedit, and then click OK. Locate and then click the following key in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

On the Edit menu, point to New, and then click DWORD Value. Type 'NoLMHash', and then press ENTER (note this DWORD may already exist). On the Edit menu, click Modify (the DWORD), set the value to 1 and then click OK.

Next find 'LMCompatibilityLevel' and set to one of the following, depending on your system (if you don't need to log into a Windows network server just set it to 5):

Restart your computer and then change/ set your passwords.

Get system up and running

Now install all your Windows drivers to get the system up and running. If you do go online or open any files make sure none of them are sensitive (for example try not to do your internet banking) as the account you have made will never be secure and you don't want to risk fragments of sensitive data ending up on this drive.

Check the pagefile size

Once you have installed Windows you need to know the size of the pagefile it is using, this will help to determine the size of the openSuSE swap partition, that both Windows and Linux will use.

To find the pagefile size go to 'Control Panel => System' and select the advanced tab.

Click on the settings button at the top, the one inside the 'Performance' box. Now select the advanced tab on the 'Performance Options' window, and then select the 'Change' button within the 'Virtual Memory' box at the base of the window.

At the top of the 'Virtual Memory' window you will see a white box in which is listed the C: drive and its Paging File Size. Make a note of the maximum size.

Install Software

Finally install Truecrypt, WinRAR, Ext2IFS/ Ext2fs and Eraser, you will need them later.

If you intend to use bootpart install that now too, however please note that using the Windows XP boot loader can cause issues with the advanced encryption techniques described later.

Installing openSuSE 10.3/ Linux

Boot the machine with the openSuSE DVD/ CDROM. Follow the default install until you get to the system configuration screen. This is the screen which will show you a summary of the system to be installed, such as software and partitioning.

Partitioning

First you change the partitioning. As the HDD has a large chunk of free space (or is just free space if you are only installing Linux) openSuSE will have determined optimal partition sizes, sadly you want none of these but before you delete them make a note of the swap partition size. Compare this to the Windows pagefile and whichever is the larger will become the new swap partition size +30ish % (so if your pagefile needs to be at most 1.5GB the swap partition will be 2GB).

Once all the default partitions have been deleted you must first create a boot partition (so set the mount point to '/boot'). This should be about 75MB as you may want to have more than one kernel and/ or initrd.

Next you create the swap partition, size as above, followed by what will eventually become the root partition. My partition is 8GB and Ext3, set the mount point to nothing.

The remaining space on the disk will be for documents. For now you will install Linux there (so set the mount point to '/') but you will move that to the new root partition later.

Install the root file system ('/') on one of them and leave the mount point of the other one blank. It doesn't matter at this time what file system you format this as it will be overwritten by Truecrypt, however whatever it is will be the final file system of the installation (as we will create a file system within the encrypted devices). On our example system my partition table now looks like this:
DeviceSizeTypeFilesystemWhat is it?
/dev/sda110GBPrimaryNTFSWindows C
/dev/sda270GBExtendedW95 Ext'd (LBA)Extended Partition
/dev/sda575MBExtendedExt3/boot
/dev/sda62GBExtendedswapswap
/dev/sda710GBExtendedExt3Future root
/dev/sda858GBExtendedExt3Root ('/')

Grub

If you intend to use hibernate you should use the openSuSE default boot manager grub (the reason is discussed later, and unless you have a reason to use the XP boot loader you should leave the bootloader options alone.

However if you have security software that requires you to have an XP MBR you should set the installation location of GRUB to your /boot partition (in this case /dev/sda5) use bootpart to add openSuSE to your Windows XP bootloader (and take note of the encrypted Linux hibernation section later).

If you have no idea what all this means leave Grub/ the bootloader alone for now.

Software

You should now add some additional packages during installation. Select the dropdown to change software, in the screen which appears click on 'Details' (near the bottom of the screen) and on the next screen which appears select 'Search' from the dropdown near the top.

Now search for and select the following packages:
PackageWhy
kernel-sourceNeeded to build truecrypt module
kernel-symsNeeded to build truecrypt module
cryptconfigNeeded for encrypted root FS
cryptsetupNeeded for encrypted root FS
libgcryptNeeded for encrypted root FS
libxcryptNeeded for encrypted root FS
gccNeeded to build truecrypt module
makeNeeded to build truecrypt module
e2fsprogsNeeded for encrypted root FS
e2fsprogs-develNeeded for encrypted root FS
kinternetAdded for convenience, otherwise it will ask to install later

Accept any packages added in support of the above and any licence agreements and return to the summary screen.

It is now ok to run the installation.

Update

Do not run update during installation as a new kernel is already out and this will make the install fail. Wait until the system is running.

Root password and user accounts

Besides doing anything else during installation you need to make sure that when you set the root password (and you should) that you don't use the password you will want to use for the encrypted filesystems.

At this time do not add any user accounts, and ignore the warning that this will only be an empty login server (or whatever that warning said).

Once the installation has finished log in as the root user.

Randomising the root partition

Once you are logged in as the root user on your new system you should start the process of moving root to its new encrypted partition.

However first run YaST, get the system hooked up to the internet, add an Online Update source and run an online update. This will install a new kernel and some security updates (in fact the longer after openSuSE 10.3 came out you read this the more updates there will be).

The newer kernels for openSuSE 10.3 implement (or seem to implement) the use of mkinitrd in a slightly different way to the default installation, and doing this update skips a chapter I would've had to otherwise write.

Once the update is complete reboot and log in again as root.

The first thing you are going to do is overwrite the soon to be root partition with random data. This will help to erase anything that you once had on the disk that wasn't removed earlier, and help hide the encrypted data that the root partition will soon contain.

As can be seen in the earlier example system the new root partition will be /dev/sda7 so you run the command (from a terminal or terminal emulator): 

tin-man:~# dd if=/dev/urandom of=/dev/sda7 bs=4096

This will overwrite the whole of the new root with data from urandom, a device in the Linux system which generates random data by combining random number generators with information on disk timings and mouse movements. It runs pretty slowly and for a 10GB drive will take several hours to finish. By making the block size (bs=4096) larger you haven't made the process run faster (unlike with /dev/zero earlier), but you have reduced the overhead on the system as it writes to disk less often, and so you will be able to do other things whilst this runs.

If you want you can move ahead whilst this runs and do the next step, but as that (the next step) will only take a few minutes maybe you should just get a cup of tea.

Setting up the bootloader - Grub

Whilst the system is busy writing random data to the new root partition you can be setting up Grub (or enjoying that tea).

Using the file manager as root go to /boot/grub; inside the directory you will find a file called 'menu.lst'.

Open this with your favourite text editor and add a new entry (modified for your system), an example file can be found here.

Save the file and close the text editor.

Encrypting and formatting root

One the random data has been written to the new root you need to create an encrypted file system, run the following command: 

tin-man:~# cryptsetup -v --key-size 256 luksFormat /dev/sda7

And follow the instructions. Remember to use a different password from your usual user account login.

Next you need to open the new partition, run: 

tin-man:~# cryptsetup luksOpen /dev/hda3 root

And enter your password.

Finally you need to format the partition, I use Ext3 here but you should use whatever the original root system was installed on (the default openSuSE 10.3 filesystem is Ext3). 

tin-man:~# /sbin/mkfs.ext3 -j /dev/mapper/root

Making a cryptab file

When the system boots the encrypted file system software looks for a file listing encrypted systems and what they should be booted as. This file is called crypttab and is found in /etc, e.g:

/etc/crypttab

See here for an example crypttab file; you will need to save this file as root, named 'cryptab' (no extension - read write permissions) edit it to match your system and place it in /etc.

Moving the root Filesystem

Once the new root partition has been created you need to copy over the current root file system.

First mount the partition. 

tin-man:~# mount /dev/mapper/root /mnt

If the directory /mnt does not exist make one using file manager.

Within /mnt make the directory's 'media', 'proc', 'boot' and 'sys'. These are system directories that you don't need to copy over; they are set up as the system is running.

Now you copy the rest of the root partition (remember to add any directories I may have missed, excluding the above): 

tin-man:~# cd /
tin-man:/ find bin dev etc home lib* opt root sbin srv tmp usr var -depth -print0 | cpio -pmd --null /mnt

Mount options: fstab

The fstab, which is the file the running system uses to determine where and if to mount partitions, needs to be altered for the new encrypted root system.

Go to /mnt/etc (the /etc within the soon to be new root filesystem) and open the file 'fstab' with your favourite text editor.

Click here for an example fstab, for the new system you only need to alter one line, the line for the root filesystem.

The initial Ram Disk - Initrd

The Linux system uses an initial ram disk (initrd) to boot the system, containing and modules and software that the kernel will need prior to mounting the root directory. In order to mount an encrypted root filesystem a few tools must be added to the initrd.

With the introduction of openSuSE 10.3 the system will run almost out of the box with the standard kernel and software

Run the following command: 

tin-man:~# mkinitrd -d /dev/mapper/root

Which tells mkinitrd to make a new initrd based on the root system on /dev/mapper/root.

Once done you should be able to reboot the system.

The first boot, USB Keyboards, what to do if it doesn't work, and what to do when it does

When you reboot you should see the option to boot 'Encrypted openSUSE 10.3', if not you must go back in and edit the grub menu as described above.

Next you should see the usual openSuSE booting screen (with the option to press Escape for more information). After a few seconds (which will seem longer because you are waiting and watching) the screen will show the boot process, and the words: 

Enter Luks password:

should appear.

They may however have appeared and be a few lines back, because on some systems the kernel will continue to discover hardware and report on it (for example USB stick drives). Either way when the scrolling text stops just enter the password you made up earlier - no stars or text will appear - and press return, the system should then continue to boot.

If you are unable to type anything reboot Linux via the normal way and check that your keyboard is supported by initrd during boot. USB keyboards commonly are not; you will therefore need to find a guide on the web to enable the keyboard. Normally (as in for most generic USB keyboards) you can enable USB keyboard support in your initrd using YaST.

In Yast Go to System==>/etc/sysconfig editor, and then add the modules ehci-hcd and uhci-hcd to the entry "Kernel-INITRD_MODULES" and remake the initrd for /dev/mapper/root (using the above command).

If you get error messages like 'no filesystem driver' or similar then initrd needs to be rebuilt; log back in and run mkinitrd and look for error messages, if it runs without incident try rebooting again (a common one is module dependencies, run 'depmod -a').

Once you have booted into the new system you should run the command 'mkinitrd' (and just that word) to make sure that the new system is able to build its own initial ram disk (this will be needed every time a kernel update is installed).

Creating the /home directory

If your system has booted up successfully then you should run mkinitrd again (see above) and can then proceed to create a '/home' directory.

If you want to have the '/home' partition visible to both Windows and Linux as a shared documents and user settings partition you will need to install Truecrypt.

Installing truecrypt

Unpack the contents of the truecrypt source code tar you downloaded (section 3.1) into your home directory (which for root will be /root). Make sure that the full file path to where you unpack the source code has no spaces in the name; otherwise the kernel module build will fail.

From a terminal or terminal emulator enter the 'Linux' directory within the unpacked source code directory and run: 

tin-man:~# ./build.sh

Followed by: 

tin-man:~# ./install.sh

In theory just running ./install.sh should work, but I have found that if there is already an existing built module in the directory the install script will just try and load that, which may be problematic as it will give no errors but could affect other running kernel modules.

After you have installed Truecrypt check module dependencies (also run this before making a new initrd (command mkinitrd) to prevent errors regarding the module 'dm-truecrypt'. 

tin-man:~# depmod -a

A note about Truecrypt and new kernel updates

You should keep the source files in your root home directory as you will need to rebuild Truecrypt after every kernel update. Because you have installed kernel-symbols the module should always load and allow you to mount /home, even with the different kernel; however you may have odd hardware errors (on mine WIFI drops out) due to module conflicts so you should always re-build Truecrypt (it takes seconds after all) and run 'depmod -a'.

Keeping it in the root partition ensures that it is always available, even if Truecrypt won't mount /home anymore.

Remove old items from grub

The original grub entry for opensuse can now be deleted from the grub menu. Make sure you update the failsafe entry too to match the new root filesystem. You may want to reboot to check its all working.

Creating the home directory

Now that the root system is installed and working it's time to delete the old root file system, which in your example is on /dev/sda8.

Run the command: 

tin-man:~# truecrypt -c /dev/sda8

You will be asked what volume type you want, select 'normal', and when asked which filesystem you want, 'fat' or 'none' select 'none', follow the rest of the instructions to create an encrypted file system.

There is no need to randomise this partition first as truecrypt will fill it with random data, this will take an hour or more depending on system speed and partition size. Again go and make some tea.

Formatting the home directory

Mount the new partition with the command: 

tin-man:~# truecrypt /dev/sda8

This should mount the partition as /dev/mapper/truecrypt0, to format run the command: 

tin-man:~# /sbin/mkfs.ext3 -j /dev/mapper/truecrypt0

If you don't intend to share this with windows then you can format the partition with any Linux filesystem (e.g. reiserfs).

Next un-mount the volume: 

tin-man:~# truecrypt -d /dev/sda8

And run a test mount replacing the word 'yourpassword' with the password you used to create the truecrypt volume: 

tin-man:~# truecrypt /dev/sda8 /home -p yourpassword

Setting up an auto-mount for /home

You now want to set the system up to mount this new truecrypt partition at boot, to do this edit the file /etc/init.d/boot.local as shown in the example here.

Reboot the system and check that the '/home' drive is mounted (the '/home' folder will go from being empty to containing a folder called 'lost+found') Also keep an eye out to make sure that disk checking is run every so often..

Adding a user account

Now that the system has been created with an encrypted '/' (root) and '/home' you can add a user account. Do this using YaST.

If you have enabled the auto-mount option for the Truecrypt partition, and have your password in the boot.local file you can now set up the user account to log-in automatically. This is safe as the entire basic Linux system is secure (except for swap which is covered soon), and it means that you will only need to enter one password between boot and desktop!

That's the basic Linux system set-up, with the exception of the swap space, which you will deal with later.

Installing TCGINA and encrypting the Windows user account

Now that Truecrypt and WinRAR have been installed (earlier) you can extract and install TCGINA. Once installed go to the start menu and run: 

'control userpasswords2'

Click on the advanced tab and then check the box 'Require users to press Ctrl+Alt+Delete', then click Ok and reboot the machine. This option is set to support TCGINA.

Once you have rebooted create a new user account, the one you actually want to use, log off, log into the new account (to make XP create the default folders etc), log out and log back into the first account.

Whilst we have disabled LM hashing for extra security make sure the password you use for the new account isn't the same as the one you use for either the Truecrypt or Linux root partitions.

Run Truecrypt and mount the shared encrypted partition on a high drive number, I use Z. This is because this drive must not change if you are to log into it as a user, and if you map the Truecrypt drive to drive E, then boot with a USB stick in the computer you will be unable to log-in.

Now run the TCGINA install program again and you should be able to move your user account to the encrypted partition. Next time you log into your new account you will log-in first via the Windows login, and then you will be asked for the Truecrypt partition password (unless your Windows password is the same as the Truecrypt one, in which case it may log you in automatically).

Once all this is done reboot the computer and log into Linux, open the root user account and go to '/home'. A new folder will be there called 'Documents and Settings' change the permissions and group to match your Linux user account and set it to do this to all sub-folders and files.

Once done you can log back into Windows and move 'My Documents' to a convenient folder within your Linux home directory, I just use a folder called 'Documents' which is installed by default in the openSuSE system. Whenever you create a file in Windows now it will be saved with the permissions of your user account in Linux.

Moving the Windows pagefile to the Linux Swap partition

The SwapFS driver package can now be installed. Follow the instructions for installing the driver, when it comes to editing the registry entry Truecrypt can help.

Whilst on the Linux system the swap partition is partition 6 (/dev/sda6) under Windows it is '\Device\Harddisk0\Partition3'. If you run Truecrypt and click on 'Select Device' you will see a list of partitions as Windows sees them, and from that you should be able to determine the swap partition as Windows sees it and edit the registry entry correctly.

You can change the name of the drive in the last line from 'S:' to whatever you want, I use 'Y:' so it sits next to the Truecrypt partition.

An example can be seen in here.

Re-boot the computer, if the registry entry was correct you should now have a new drive with a Fat file system. Go to the pagefile settings window, select drive Y: (or whatever you set yours as) and set the pagefile size, then un-set the pagefile from the 'C:' drive. If the drive appears with a '?' next to it in explorer check your registry settings and edit the registry to correct.

As an additional security option you should set the minimum and maximum sizes of the pagefile to the same maximum value. This ensures that each new pagefile completely overwrites the last, rather than a growing/ shrinking file receding and leaving confidential data on the swap drive for months. More security options for the pagefile are discussed further down this page, including how to delete or encrypt it.

Wiping the free space on Windows

You now need to ensure that any old data on the Windows C: drive (before you started this whole process) is erased.

Open power properties from the control panel and disable hibernation (which will delete hiberfil.sys). Now run defragment on the C: drive; as can be seen now that the pagefile and hibernation files are gone there is no longer any unmoveable data on the drive.

Next run Eraser. You might want to reboot after the defragment as sometimes Eraser can cause errors when run on a recently defragmented drive. Set eraser to erase all free space on the C: drive and run, it will take 30 mins to several hours to run, depending on system and disk size.

Encrypting the system swap and hibernation space

The final part of this howto covers the system swap and hibernation spaces. There are several options here for system security, starting with the most basic and finishing with high level security options.

The higher security options, whilst providing a significant level of security, can carry with them a much higher maintenance requirement than the simple options.

Swap Space

On Windows this is the pagefile, and under Linux this is the swap partition.

Swap space is used when the computer runs out of physical memory (RAM), to free up physical memory information is swaped out of RAM into the swap space.

Therefore, even though you have encrypted all of your personal files, folders and personal settings (and the Linux root) there is still the risk that sensitive data will leak out into the swap space.

Of course if you are confident that your system has so much RAM it will never use swap space, and you will never want to suspend Linux to disk then you can set Windows to have no pagefile, and delete the Linux swap; for the rest of you, you have to look at either deleting or encrypting this data (see below).

Hibernation

When a system hibernates it saves the contents of RAM into a file on the hard disk. In Windows this file is always on the C: drive (it cannot be moved) and is called hiberfil.sys. On Linux this is a RAM disk image stored on the swap partition.

As above there is a risk that sensitive data will be saved to the hard disk, in fact there is a greater risk as you will be deliberately dumping the entire contents of RAM to the disk.

On very secure systems its best to disable hibernation altogether on both systems, if you want this feature you have to look at encrypting this data too.

Simple steps - Wiping/ encrypting Swap and deleting/ encrypting the pagefile

Your system is already more secure than a standard system; by having both Windows and Linux write to the same swap space you are ensuring that anything on the partition is regularly overwritten with data of different formats.

Another basic step you can do is have the Linux system wipe the swap partition on reboot, and have the Windows system delete the pagefile.

Skip these sections (wipe swap, delete pagefile, simple encrypted swap) if you intend to use the advanced techniques discussed later.

Linux - wipe the swap partition

This will add up to a minute to the shutdown time (with a 2GB swap, and about 30s with a 800MB swap) but will provide an extra level of security when combined with the delete pagefile below.

You are going to ad a series of commands to the /etc/init.d/halt.local script which will be executed as root once the system is almost shutdown.

Open the file with your favourite text editor and add the following lines: 

swapoff /dev/sda6
dd if=/dev/zero of=/dev/sda6 bs=4096
mkswap /dev/sda6
swapon /dev/sda6

You may want to try executing the 'dd' command from a terminal as root (after first making sure you have switched off swap) using different block sizes (the 'bs' option) to see what is the optimal setting for your system, and hence speed up the /dev/zero and shutdown processes. However even with the optimal setting you will still see a significant increase in the shutdown time.

Windows - Delete the pagefile on reboot

This is achieved by a simple registry change; it isn't necessary if you use the feature above to wipe the swap partition and regularly boot Linux.

Go to the start menu and run 'regedit' then navigate to the key: 

H_KEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\CONTROL\SESSIONMANAGER\MEMORYMANAGEMENT

Set the key 'ClearPageFileAtShutdown' to 1. This will add an extra delay to the Windows shutdown whilst the pagefile is deleted.

Linux - simple encrypted swap without hibernate or Windows pagefile share

I've included this for completion, but it goes very much against the idea of this howto. If you need to have an encrypted swap there is an advanced example later of how to have an encrypted swap with pagefile partition sharing and encrypted hibernate.

First of all log into Windows and move the pagefile to another partition. Then log into Linux and run YaST. Open the partitioning tool and format the swap as an encrypted partition. You don't have to enter a password, and if you don't a new encryption key will be created each time you boot based on /dev/urandom.

That's it, an encrypted swap which even the system itself will be unable to access after reboot, which is why hibernate will no longer be available, and even if you enter a set password the Kernel will not be able to load the partition at boot, hence, again, no hibernate feature.

Windows - Encrypting the pagefile on the fly

For the person who wants an easy life (before you get on to the more advanced security stuff) is the free software package CrytoSwap Guerrilla which will encrypt the Windows pagefile on the fly. It is recommended that you still use this package with a separate partition (such as the shared swap) rather than keeping your pagefile on the C: drive.

If you want to use the expert options you should use the shared swap partition and CryptoSwap Guerrilla.

Note: by default CryptoSwap will enable the Windows option to delete the pagefile on shutdown/ reboot. This is not really necessary as the pagefile data is encrypted; it will just make shutting down take longer.

Luckily CryptoSwap contains a standard registry entry to disable this, which can be found in the directory you installed CryptoSwap to (e.g. 'C:Program FilesCryptoSwap Guerilla').

Linux - Encrypt the hibernate disk image

As part of the standard openSuSE 10.3 installation is the option to encrypt the hibernate RAM disk image. The image is still stored on the swap partition, and the partition is still unencrypted, however the image itself can't be read.

To enable this open /etc/suspend.conf with a text editor; scroll down and un-comment (remove the # at the start of the line) the following options:

An example suspend.conf file can be seen here.

When you now suspend to disk the system will ask you for a password, and then write it to the file specified in the RSA Key file option. As the root file system is encrypted this is very secure.

If you want to use the expert options (below) you should enable this feature.

Expert steps - Encrypted pagefile, swap and Linux Hibernate

This section is for experts or the very paranoid who know how to carry out maintenance on their system if an error occurs during a system change, such as a new Kernel via online update.

There is no need to read this section if you are only using Windows.

It's not that this method causes any errors under the current openSuSE 10.3 system, but you will be regularly changing the format of a key system partition and this may cause a boot failure following future system updates. You should be comfortable dealing with such issues before enabling these options.

Warning

Please note; if your system regularly uses large chunks of the Linux swap partition (for example if it is low on resources), or is likely to just prior to the hibernate process then do not use this method as errors will occur when resuming and work can be lost. This method is particularly not recommended for systems with limited resources.

A swap space monitoring package (several are provided with openSuSE 10.3) will tell you what your usage is like.

Most systems however should have no problem.

A note on Windows hibernate

At the time of writing there were no free software packages that could encrypt the Windows hibernate file.

The hiberfil.sys file also cannot be moved from the C: drive so unless you purchase software to encrypt the C: drive there is no way to securely operate Windows hibernate, and if your system needs to be fully secure disable the feature (Control Panel=> Power=> Hibernate Tab).

If you do need to use hibernate then I recommend that you regularly disable hibernate (which will delete hiberfil.sys) defragment and run Eraser as described earlier and then re-enable hibernate.

Alternately install a 2nd physical hard disk for Linux (if an option) and use CompuSec or purchased software to encrypt the whole Windows physical drive.

Boot manager - use Grub

I recommend that you use the Grub boot manager and not the Windows boot manager when using the encrypted hibernate option.

This is because if you hibernate your Linux system and then boot Windows the Windows pagefile will overwrite the RAM disk image created by Linux, and you will loose whatever you were working on in Linux. If you use the Grub boot manager you are forced to resume and shut down Linux before booting Windows.

Alternately just remember not to boot Windows, or move your pagefile to an alternate partition.

Creating an encrypted swap system, compatible with pagefile sharing and using encrypted Linux hibernate

Before you start install CrytoSwap Guerrilla and configure Windows pagefile as described earlier. Also enable the encrypted hibernate option in Linux.

This method will change the state of the swap partition when booting, hibernating and shutting down.

When the system is running the swap partition will be encrypted with a random keyfile created from /dev/urandom.

When it is switched off the swap partition will be clean formatted and unencrypted; the only data that can be recovered from it will be fragments of encrypted data from the Windows and Linux systems.

When the system is hibernated (Linux only) it will be a freshly formatted swap partition with an encrypted RAM disk image on it.

Sadly because the swap/ resume partition presented to the Kernel at boot, and whilst running, is fundamentally different you may have to do some re-configuring of your system during certain updates. Ensure you are comfortable doing this before enabling this option.

Getting started

Configure the system to use CryptoSwap Guerrilla and the encrypted Linux hibernate image.

The following steps must be followed before rebooting the system.

Remove swap devices from /etc/fstab

Open fstab in a text editor as root and delete any line referring to a swap partition.

Edit /etc/init.d/boot.local

You are going to edit the local boot script (which contains your Truecrypt mount command) to create and mount an encrypted swap partition.

An example of this boot.local can be found here.

Edit /etc/init.d/halt.local

Next edit the local halt script to turn off swap, dismount the encrypted swap partition and format it as a standard swap partition.

An example halt.local can be found here.

Create a script for hibernating the computer

User scripts used during the hibernation of a computer are stored in the directory:

These are executed along with the system scripts in numerical order, based on the name of the script (which can be between 00 and 99, however most have been used). If you do not know what you are doing with power management just follow the exact instructions here (noting that they are for a default openSuSE 10.3 system). To create the script enter the directory:

And create a file called '04swapencryption'. An example showing the contents of this file can be found here. Make sure you edit the script to match your swap file partition, and make sure the name starts with '04' (as in 'zero four').

Filling the swap partition with random data

You have now ensured that no more un-encrypted data will ever be written to the swap partition so you should now ensure that any old data from the previous system on this computer is overwritten.

Run the following commands and then reboot, once up the system should now be fully encrypted, with the exception of the Windows C: drive. 

tin-man:~# swapoff /dev/sda6
tin-man:~# dd if=/dev/urandom of=/dev/sda6 bs=4096

As before this will take some time, but setting the block size to one suited to your system should make it possible to continue working until the command is finished. Of course with no swap the system may be slow.

Bugs and issues to note

Now that you have done all that work I should mention a few of the bugs you may experience.

Unable to mount Truecrypt in Windows after Linux crash and vice-versa

When using a shared encrypted /home drive:

If the system dies unexpectedly (i.e. unplugged or switched off) you will have to re-boot into the operating system you were using prior to the crash otherwise Truecrypt won't mount the shared drive until you re-mount it from that OS. Minor crashes can sometimes happen during shutdown, if they happen regularly add a command to halt.local to manually unmount the Truecrypt partition before the system is halted (an example is shown here).

Resume fails or data is missing after hibernate

This can happen when using the advanced system described at the end of the howto. It happens because a large amount of data was still on the swap partition prior to the hibernate script wiping the partition. If this happens regularly you should either stop using this encryption technique, stop using hibernate, reduce the system overhead before hibernating (e.g. stop any unnecessary processes or do not use any particularly onerous packages) or install more RAM.

Spyware software doesn't work

At least one free spyware package, Spyware Doctor (free via Google Pack) will have errors when installing and loading on this system.

However AVG Anti-Spyware (free) and Windows Defender work fine with this system.


Page loading