Link to home
Start Free TrialLog in
Avatar of Johnny
JohnnyFlag for United States of America

asked on

How best to secure Swap space inside of Ubuntu

Swap space on Linux:  Does anyone have some really good insight into securing swap space on Ubuntu specifically.  One way Ive been thinking of handling it is to increase swappiness to 85 - or 90% rather than leave it at around 60% which my understanding is the basic default.  Physical access isnt an issue, and system ram is extensive, and can be added to, but still should more be done?
Avatar of omarfarid
omarfarid
Flag of United Arab Emirates image

In the past when server memory were in MBs, the recommendation was to reserve swap space 2 to 4 times the physical memory size.

Now servers are having huge memory in GBs. So the above recommendation may not be the best.

You need to understand the type of appications you will be running on your server and the memory requirements of such applications and reserve space accordingly.


Avatar of Dr. Klahn
Dr. Klahn

As I understand your question, you are concerned about something scavenging information from the swap partition.

On Debian or Ubuntu, it is straightforward to encrypt the swap partition.

https://feeding.cloud.geek.nz/posts/encrypted-swap-partition-on/

But there is a porcupine hiding in the tree:  This increases the overhead of swapping operations by at least twenty-fold.  Normal swapping is a simple DMA out to or DMA in from the swap disk.  When the swap partition is encrypted, every swap access brings the system to a halt as it encrypts or decrypts the swapped data at kernel level.  It would be necessary to far overprovision the system with main memory to minimize the amount of swapping and the associated kernel level overhead.

If the system in question doesn't swap very much, possibly a better solution is swapping to a RAM disk, e.g., zswap or zram-for-swap.
Avatar of Johnny

ASKER

Yes, I am concerned about the security of the server in question, and its possible impact if it is compromised.  Encrypting will not be a good solution as the server distributes software applications to approximately 45000 users.  MY main concern is the looting of passwords, or accessing something from swap to in turn crack into the rest of the network.
I really want to avoid encryption as much as possible because of the nature of the servers usage.  Thank you
Swap space is usually not accessible by normal users. Who is trying to access swap space?

What type of passwords you want to protect here?
Then I would look at zswap.
You said, "Yes, I am concerned about the security of the server in question, and its possible impact if it is compromised."

1) Only a root user can access swap space.

2) If a root user has access to your machine, then encrypting swap space has no meaning, as once someone has root, there's no requirement to try to scrub through swap space, as the entire machine is open.

3) If you must encrypt swap space, use Dr. Klahn's suggestions.

4) Another approach (I use this) is to use enough memory you disable swap space.
David's comment above is well taken.  Any intruder with root does not need to go through the trouble of side channel attacks on memory or swap space.
Said another way, if I just hacked a system... like accessing one of the 2x Linux Kernel Zero Days from a few years ago, I now have root access of the entire machine... in a way I can't be seen or tracked...

The last thing I'd be doing is snooping around swap space, I'd be stealing database data + ssh keypairs + maybe copying off digital product downloads offered for sale.

If I had root access, slogging through swap space would never enter my mind.
As mentioned by expers only root user can access swap area.
If applications are using encrypted passwords or data then this is safe.
ASKER CERTIFIED SOLUTION
Avatar of Johnny
Johnny
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial