SYS-CON MEDIA Authors: Liz McMillan, Carmen Gonzalez, Zakia Bouachraoui, Roger Strukhoff, David Linthicum

Blog Feed Post

Encrypted Swap in OpenSolaris 2009.06

Back in December 2008, LOFI encryption support was added to Solaris Nevada (build 105). With the release of OpenSolaris 2009.06, this functionality is now available as part of a released product. What does this have to do with encrypted swap you may ask? To get your answer, you need only review the lofi(7d) crypto support architectural review case (PSARC/2007/001). Toward the bottom is a section titled "Encrypted Swap". This information gives us everything that we need to enable encrypted swap on OpenSolaris -- almost.

The problem is that the encrypted swap portion of this ARC case was never completed as it is expected that the ZFS encryption project will provide this functionality when it integrates. Unfortunately, ZFS encryption is not here today, so until it is - we can enable a workaround using LOFI encryption. There are some "issues" to consider when using LOFI encryption that Darren Moffat covers well in his post on this subject.

So, without further ado, let's get to the particulars. To enable encrypted swap in OpenSolaris 2009.06, you need only follow the following steps.

Note that the following instructions assume that privileged operations will be executed by someone with administrative access (directly or via Solaris role-based access control). For the examples below, no changes were made to the default RBAC configuration. The commands as written were executed as the user created during the installation process.
  • Prevent the system from automatically adding swap devices or files. This is actually a little trickier than it sounds since the /sbin/swapadd program, called during the boot process, will attempt to use anything defined as swap that is not commented. I would prefer not to comment the files as it would then be harder to tell the difference between those we wanted to use for encrypted swap and those that were commented for some other reason. To work around this issue, you simply must edit the /etc/vfstab file and define the swap device or file as something other than "swap". For the scripts discussed below, we will use the key "enc-swap". Here is an example from /etc/vfstab:

    $ grep enc-swap /etc/vfstab
    /dev/zvol/dsk/rpool/swap      -      -      enc-swap      -      no      -
    $ swap -l
    No swap devices configured

  • Remove the existing swap devices or files. It is likely that your system will have already added the swap devices or files to the system. To determine if this is the case, simply use the following command:

    $ swap -l
    swapfile                   dev    swaplo   blocks     free
    /dev/zvol/dsk/rpool/swap 182,2         8  1226744  1226744

    If there are devices or files already configured, remove them using the following command:

    $ pfexec swap -d /dev/zvol/dsk/rpool/swap
    $ swap -l
    No swap devices configured

    If swap is in use, you may need to reboot you system in order to remove the device at this point. Note that the previous step (where the file system type was changed to enc-swap) will ensure that the device or file is not used upon boot.)

  • Add the encrypted swap SMF service. Here is where the magic lives. You will need to download the archive containing the encrypted swap SMF service manifest and method files. Note that these files are user contributed and as such are not officially a part of the OpenSolaris release nor are they officially supported by Sun. If you are ok with these terms, you should now download the archive and install the files using the following commands:

    $ wget -qnd
    $ bzip2 -d -c ./smf-encrypted-swap-v0.1.tar.bz2 | tar xf -
    $ cd ./smf-encrypted-swap
    $ pfexec ./
    $ svccfg import /var/svc/manifest/site/isc-enc-swap.xml

    The script is used to copy this service's SMF manifest and method scripts into the proper locations as well as set correct ownership and permissions of these files.

  • Verify the service is running and encrypted swap is configured. The last step is to verify that everything is working as expected. Use the following commands to verify the service was properly installed and enabled:

    $ svcs isc-encrypted-swap
    STATE          STIME    FMRI
    online         14:30:10 svc:/system/isc-encrypted-swap:default

    Use the following commands to verify that encrypted swap is in use:

    $ lofiadm
    Block Device             File                           Options
    /dev/lofi/1              /devices/pseudo/[email protected]:2c       Encrypted
    $ swap -l
    swapfile             dev    swaplo   blocks     free
    /dev/lofi/1         144,1         8  1226728  1226728

    The last two commands show that an encrypted block device was created at /dev/lofi/1 and that the device is currently in use as a swap device. It should be noted that no password, passphrase or other credential was given when the encryption was configured. This is because this service is configured to use an ephemeral key. The key is not stored on the system and is lost when the system is restarted. Upon each reboot, a new encrypted block device with a new ephemeral key will be used to configure encrypted swap.

Note that the examples above have shown the service with a single swap device, but the SMF service has been written to support multiple swap devices or files. For example, a secondary swap file could be created using the following steps:

$ pfexec zfs create -V 1G rpool/export/swapfile

$ pfexec vi /etc/vfstab
[add the new entry for rpool/export/swapfile as verified in the next step]

$ grep enc-swap /etc/vfstab
/dev/zvol/dsk/rpool/swap      -      -      enc-swap      -      no      -
/dev/zvol/dsk/rpoo/export/swapfile      -      -      enc-swap      -      no      -

$ svcadm restart isc-encrypted-swap

$ lofiadm
Block Device             File                           Options
/dev/lofi/1              /devices/pseudo/[email protected]:2c       Encrypted
/dev/lofi/2              /devices/pseudo/[email protected]:3c       Encrypted

$ swap -l
swapfile             dev    swaplo   blocks     free
/dev/lofi/1         144,1         8  1226728  1226728
/dev/lofi/2         144,2         8  2097128  2097128

There you have it! Enabling encrypted swap in OpenSolaris 2009.06 is as easy as following these few simple steps. It is worth reiterating that this solution is just a temporary workaround. Once ZFS encryption is available, it should be used instead of this approach. In the meantime, however, if you are interested in enabling encrypted swap on your OpenSolaris 2009.06 systems, give this model at try and please be sure to send along your feedback!

Take care!

P.S. Some of you may be wondering why the SMF service and associated files are labeled with an ISC prefix? The answer is simple. They were developed and are being used as part of the Immutable Service Container project! Look for more information and materials from this project in the near future!

Technorati Tag:

Read the original blog entry...

More Stories By Glenn Brunette

Glenn Brunette is a Distinguished Engineer and Chief Security Architect at Sun Microsystems. For over 15 years, he has designed and delivered security architectures and solutions supporting a wide array of global customers. Currently, he has focused his efforts on improving security for cloud computing and other highly dynamic and scalable architectures.

Latest Stories
The platform combines the strengths of Singtel's extensive, intelligent network capabilities with Microsoft's cloud expertise to create a unique solution that sets new standards for IoT applications," said Mr Diomedes Kastanis, Head of IoT at Singtel. "Our solution provides speed, transparency and flexibility, paving the way for a more pervasive use of IoT to accelerate enterprises' digitalisation efforts. AI-powered intelligent connectivity over Microsoft Azure will be the fastest connected pat...
There are many examples of disruption in consumer space – Uber disrupting the cab industry, Airbnb disrupting the hospitality industry and so on; but have you wondered who is disrupting support and operations? AISERA helps make businesses and customers successful by offering consumer-like user experience for support and operations. We have built the world’s first AI-driven IT / HR / Cloud / Customer Support and Operations solution.
ScaleMP is presenting at CloudEXPO 2019, held June 24-26 in Santa Clara, and we’d love to see you there. At the conference, we’ll demonstrate how ScaleMP is solving one of the most vexing challenges for cloud — memory cost and limit of scale — and how our innovative vSMP MemoryONE solution provides affordable larger server memory for the private and public cloud. Please visit us at Booth No. 519 to connect with our experts and learn more about vSMP MemoryONE and how it is already serving some of...
Darktrace is the world's leading AI company for cyber security. Created by mathematicians from the University of Cambridge, Darktrace's Enterprise Immune System is the first non-consumer application of machine learning to work at scale, across all network types, from physical, virtualized, and cloud, through to IoT and industrial control systems. Installed as a self-configuring cyber defense platform, Darktrace continuously learns what is ‘normal' for all devices and users, updating its understa...
Codete accelerates their clients growth through technological expertise and experience. Codite team works with organizations to meet the challenges that digitalization presents. Their clients include digital start-ups as well as established enterprises in the IT industry. To stay competitive in a highly innovative IT industry, strong R&D departments and bold spin-off initiatives is a must. Codete Data Science and Software Architects teams help corporate clients to stay up to date with the mod...
As you know, enterprise IT conversation over the past year have often centered upon the open-source Kubernetes container orchestration system. In fact, Kubernetes has emerged as the key technology -- and even primary platform -- of cloud migrations for a wide variety of organizations. Kubernetes is critical to forward-looking enterprises that continue to push their IT infrastructures toward maximum functionality, scalability, and flexibility. As they do so, IT professionals are also embr...
Platform9, the leader in SaaS-managed hybrid cloud, has announced it will present five sessions at four upcoming industry conferences in June: BCS in London, DevOpsCon in Berlin, HPE Discover and Cloud Computing Expo 2019.
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
When you're operating multiple services in production, building out forensics tools such as monitoring and observability becomes essential. Unfortunately, it is a real challenge balancing priorities between building new features and tools to help pinpoint root causes. Linkerd provides many of the tools you need to tame the chaos of operating microservices in a cloud native world. Because Linkerd is a transparent proxy that runs alongside your application, there are no code changes required. I...
In his general session at 21st Cloud Expo, Greg Dumas, Calligo’s Vice President and G.M. of US operations, discussed the new Global Data Protection Regulation and how Calligo can help business stay compliant in digitally globalized world. Greg Dumas is Calligo's Vice President and G.M. of US operations. Calligo is an established service provider that provides an innovative platform for trusted cloud solutions. Calligo’s customers are typically most concerned about GDPR compliance, application p...
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
"NetApp's vision is how we help organizations manage data - delivering the right data in the right place, in the right time, to the people who need it, and doing it agnostic to what the platform is," explained Josh Atwell, Developer Advocate for NetApp, in this interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Druva is the global leader in Cloud Data Protection and Management, delivering the industry's first data management-as-a-service solution that aggregates data from endpoints, servers and cloud applications and leverages the public cloud to offer a single pane of glass to enable data protection, governance and intelligence-dramatically increasing the availability and visibility of business critical information, while reducing the risk, cost and complexity of managing and protecting it. Druva's...
Kubernetes as a Container Platform is becoming a de facto for every enterprise. In my interactions with enterprises adopting container platform, I come across common questions: - How does application security work on this platform? What all do I need to secure? - How do I implement security in pipelines? - What about vulnerabilities discovered at a later point in time? - What are newer technologies like Istio Service Mesh bring to table?In this session, I will be addressing these commonly asked ...
BMC has unmatched experience in IT management, supporting 92 of the Forbes Global 100, and earning recognition as an ITSM Gartner Magic Quadrant Leader for five years running. Our solutions offer speed, agility, and efficiency to tackle business challenges in the areas of service management, automation, operations, and the mainframe.