Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: OSX

Re: Encrypted Swap on Mac OS X

 

 

Gentoo osx RSS feed   Index | Next | Previous | View Threaded


bwaters+mac at aoc

Sep 14, 2004, 10:54 PM

Post #1 of 12 (1565 views)
Permalink
Re: Encrypted Swap on Mac OS X

Pablo (and Andreas):

An update on mac OS X encrypted swap with my startup script, which uses
dynamically-sized sparseimage instead of a fixed-size image...
Attachments: StartupParameters.plist (0.46 KB)
  encryptSwap (1.75 KB)


sauron at osmos

Sep 14, 2004, 11:41 PM

Post #2 of 12 (1522 views)
Permalink
Re: Re: Encrypted Swap on Mac OS X [In reply to]

I was reading a couple stories linked from macrumors.com today -
apparently, encrypted swap is a planned 'feature' for 10.4 - not sure
whether it's present in the latest builds or not. Perhaps testing
efforts should focus on Panther/Jaguar releases (not sure about Darwin
releases).

On Sep 14, 2004, at 10:54 PM, Boyd Waters wrote:
> It seems to work in Tiger prerelease (10.4) -- most of the time!
> Sometimes the startup will fail, and you're back to writing swapfiles
> to your hard disk (unencrypted).
--
Paul Handly
sauron [at] osmos
http://www.osmos.org


--
gentoo-osx [at] gentoo mailing list


alexander at gentoo

Sep 16, 2004, 4:16 AM

Post #3 of 12 (1524 views)
Permalink
Re: Re: Encrypted Swap on Mac OS X [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Do you think you could make a howto guide on my wiki?:

http://penguincluster.com/cgi-bin/wiki.pl/EncryptedSwap

On Sep 15, 2004, at 1:54 AM, Boyd Waters wrote:

> Pablo (and Andreas):
>
> An update on mac OS X encrypted swap with my startup script, which
> uses dynamically-sized sparseimage instead of a fixed-size image...
>
> <StartupParameters.plist> <encryptSwap>
>
>
> It seems to work in Tiger prerelease (10.4) -- most of the time!
> Sometimes the startup will fail, and you're back to writing swapfiles
> to your hard disk (unencrypted).
>
> Seems to be timing-related. It's working now, so I'll try not to shut
> down!
>
> Two ways to tell: use "hdiutil info" or "mount" to determine if the
> sparseimage is actually mounted.
>
> Another thing to do: I put a "flag" file in my mount-point directory,
> an empty file named PLAINTEXT. So when I look in my swap directory, if
> I see the PLAINTEXT file, I know immediately that my startup script
> failed. (No, there is no useful information in the system log, even
> though I put some "ConsoleMessage" calls in there...)
>
> Under 10.3.x, using sparseimage for loopback-encrypted-swap results in
> a hard lockup. Likewise 10.4, unless the "-kernel" option is
> specified. If such option is used under 10.3.x, the hdituil call will
> simply fail, plaintext swap results.
>
> I worked many hours yesterday to edit an /etc/rc script that would
> improve the reliability of my startup script. No luck. I simply do not
> know enough...
>
> When it comes to block-device access, Mac OX diverges quite radically
> from xBSD or other Unix. A proper implementation would require an
> IOKit driver, I think: and encrypted-disk driver. (I was aiming for
> such a thing for whole-disk encryption, but it turns out there is no
> userspace hook for mounting nullfs...)
>
> It may be that you could obtain boot-time encryption by looking at the
> NetBoot stuff; NetBoot on Mac expects a disk image passed across the
> network as a mountable boot volume.
>
>
> All this, plus scripts, reported to Apple via a bug. Total feedback
> was: "marked duplicate".
>
>
> Note that today on Slashdot was a discussion of a USB thumb drive by
> Lexar that stored the password on the drive, thus rendering the
> product's AES-256 encryption useless. Apple's FileVault is almost as
> bone-headed.
>
> Cheers!
>
> ~ boyd
> Boyd Waters
> Socorro, New Mexico
>
>
>> Thanks for the tips. I've started using Andreas' script, and it is
>> working quite well. Hopefully you can get your script working again
>> with sparse images; just as swap on Mac OS X grows dynamically, it
>> would be ideal for the container (the disk image) to grow as well.
>> Until then, I have just made a nice, large fixed-size disk image.
>> Disk space is cheap these days....
>>
>> I'm also surprised that this issue hasn't gotten more attention - in
>> my opinion, the fact that the swap file is unencrypted renders some
>> Mac OS X security features (ie FileVault) nearly useless. I have run
>> my Powerbook without swap for the last year and a half, and haven't
>> encountered too many problems with it, but once in a while it would
>> fail spectacularly when I was running a particularly memory-intensive
>> application. I can encrypt swap on my Linux and OpenBSd boxes, so why
>> not Mac OS X?
>>
>> I wonder if anyone has raised this issue with Apple? Seems like an
>> excellent feature for Tiger....
>>
>> Regards,
>>
>> Pablo Salazar
>> Consulting Engineer
>> CCIE (Security) #11024
>> Advanced Services Network Security
>> Cisco Systems
> --
> gentoo-osx [at] gentoo mailing list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBSXYKjT8HAJRHzi0RAkx6AJ9Uov0qhxH5czKBJCsYs8P3bQW27gCgm/YM
r46Doilr7AemwIQBZOQ4Tj0=
=gFUO
-----END PGP SIGNATURE-----


--
gentoo-osx [at] gentoo mailing list


varaldi at enseirb

Sep 16, 2004, 4:24 AM

Post #4 of 12 (1522 views)
Permalink
Re: Re: Encrypted Swap on Mac OS X [In reply to]

Alexander Plank wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Do you think you could make a howto guide on my wiki?:
>
> http://penguincluster.com/cgi-bin/wiki.pl/EncryptedSwap
>

j**** (en español)
Can't we use one place for all documentation ? I mean, we have an
official documentation for gentoo-osx, *good*.
Then, gentoo_for_macosx on gentoo-wiki.com. *good*.
Then, gentoo-darwin has his own wiki. *good* ?

I'm not gonna translate pages from all those links. I simply can't do
that. Why not asking thrasher to add a category "gentoo-darwin" or
"gentoo on ppc" on gentoo-wiki.com to get all information at the same
place ? (ok, the official docs should be in the official place, but the
other docs ... ?)
If I'm doing translation of documentations for gentoo-darwin, Those
translation won't be on penguincluster.com's wiki. but on
fr.gentoo-wiki.com. Because for me that's a bit more easy to do it.

What do you think about it ?

(yeah I know I'm a bit late with French translations of official docs
and gentoo_for_macosx should be updated, but I have plenty of work now,
that won't be as fast as before)

--
Clément VARALDI

--
gentoo-osx [at] gentoo mailing list


alexander at gentoo

Sep 16, 2004, 4:30 AM

Post #5 of 12 (1531 views)
Permalink
Re: Re: Encrypted Swap on Mac OS X [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sure. It would be better to use gentoo-wiki.com. Sorry, I wasn't
thinking straight. Actually, I thought that this had nothing to do with
gentoo so it might be out of place on gentoo-wiki.com. But just use
gentoo-wiki http://gentoo-wiki.com/MacOS_Encryption

On Sep 16, 2004, at 7:24 AM, Clément VARALDI wrote:

> Alexander Plank wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Do you think you could make a howto guide on my wiki?:
>>
>> http://penguincluster.com/cgi-bin/wiki.pl/EncryptedSwap
>>
>
> j**** (en español)
> Can't we use one place for all documentation ? I mean, we have an
> official documentation for gentoo-osx, *good*.
> Then, gentoo_for_macosx on gentoo-wiki.com. *good*.
> Then, gentoo-darwin has his own wiki. *good* ?
>
> I'm not gonna translate pages from all those links. I simply can't do
> that. Why not asking thrasher to add a category "gentoo-darwin" or
> "gentoo on ppc" on gentoo-wiki.com to get all information at the same
> place ? (ok, the official docs should be in the official place, but
> the other docs ... ?)
> If I'm doing translation of documentations for gentoo-darwin, Those
> translation won't be on penguincluster.com's wiki. but on
> fr.gentoo-wiki.com. Because for me that's a bit more easy to do it.
>
> What do you think about it ?
>
> (yeah I know I'm a bit late with French translations of official docs
> and gentoo_for_macosx should be updated, but I have plenty of work
> now, that won't be as fast as before)
>
> --
> Clément VARALDI
>
> --
> gentoo-osx [at] gentoo mailing list
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBSXlQjT8HAJRHzi0RAowEAKCTIC7meyWOU5zIX58wRLj4lsitzACfUhes
sS4nbrW4t2r/x1f04q57Jb4=
=EoKy
-----END PGP SIGNATURE-----


--
gentoo-osx [at] gentoo mailing list


varaldi at enseirb

Sep 16, 2004, 4:39 AM

Post #6 of 12 (1522 views)
Permalink
Re: Re: Encrypted Swap on Mac OS X [In reply to]

Alexander Plank wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Sure. It would be better to use gentoo-wiki.com. Sorry, I wasn't
> thinking straight. Actually, I thought that this had nothing to do
> with gentoo

You're right. But if we could have a "gentoo on ppc" category on
gentpp-wiki.com, I think it g-w should be the right place.

> so it might be out of place on gentoo-wiki.com. But just use
> gentoo-wiki http://gentoo-wiki.com/MacOS_Encryption
>
I'll ask thrasher what he thinks about it.

--
Clément Varaldi
(iznogoud_)


--
gentoo-osx [at] gentoo mailing list


pvdabeel at gentoo

Sep 16, 2004, 5:13 AM

Post #7 of 12 (1520 views)
Permalink
Re: Re: Encrypted Swap on Mac OS X [In reply to]

Hi,

Even though gentoo-wiki is not an gentoo official project,
Gentoo-wiki.org is the preferred location to draft documentation
related to the macos or darwin project.

I'd like to see the gentoo-darwin wiki moved over there too, if that's
possible. Obviously as an author one is free to put his/her name, site
(or picture) as 'author info' on the documents. That info will be
included when the documents are converted to official guide xml.

Pieter

On 16 Sep 2004, at 13:30, Alexander Plank wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Sure. It would be better to use gentoo-wiki.com. Sorry, I wasn't
> thinking straight. Actually, I thought that this had nothing to do
> with gentoo so it might be out of place on gentoo-wiki.com. But just
> use gentoo-wiki http://gentoo-wiki.com/MacOS_Encryption
>
> On Sep 16, 2004, at 7:24 AM, Clément VARALDI wrote:
>
>> Alexander Plank wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Do you think you could make a howto guide on my wiki?:
>>>
>>> http://penguincluster.com/cgi-bin/wiki.pl/EncryptedSwap
>>>
>>
>> j**** (en español)
>> Can't we use one place for all documentation ? I mean, we have an
>> official documentation for gentoo-osx, *good*.
>> Then, gentoo_for_macosx on gentoo-wiki.com. *good*.
>> Then, gentoo-darwin has his own wiki. *good* ?
>>
>> I'm not gonna translate pages from all those links. I simply can't do
>> that. Why not asking thrasher to add a category "gentoo-darwin" or
>> "gentoo on ppc" on gentoo-wiki.com to get all information at the same
>> place ? (ok, the official docs should be in the official place, but
>> the other docs ... ?)
>> If I'm doing translation of documentations for gentoo-darwin, Those
>> translation won't be on penguincluster.com's wiki. but on
>> fr.gentoo-wiki.com. Because for me that's a bit more easy to do it.
>>
>> What do you think about it ?
>>
>> (yeah I know I'm a bit late with French translations of official docs
>> and gentoo_for_macosx should be updated, but I have plenty of work
>> now, that won't be as fast as before)
>>
>> --
>> Clément VARALDI
>>
>> --
>> gentoo-osx [at] gentoo mailing list
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (Darwin)
>
> iD8DBQFBSXlQjT8HAJRHzi0RAowEAKCTIC7meyWOU5zIX58wRLj4lsitzACfUhes
> sS4nbrW4t2r/x1f04q57Jb4=
> =EoKy
> -----END PGP SIGNATURE-----
>
>
> --
> gentoo-osx [at] gentoo mailing list
>


--
gentoo-osx [at] gentoo mailing list


pvdabeel at gentoo

Sep 16, 2004, 5:15 AM

Post #8 of 12 (1522 views)
Permalink
Re: Re: Encrypted Swap on Mac OS X [In reply to]

On 16 Sep 2004, at 14:13, Pieter Van den Abeele wrote:

> Hi,
>
> Even though gentoo-wiki is not an gentoo official project,
> Gentoo-wiki.org is the preferred location to draft documentation
> related to the macos or darwin project.

make that gentoo-wiki.com

Pieter


--
gentoo-osx [at] gentoo mailing list


bwaters+mac at aoc

Sep 17, 2004, 11:57 AM

Post #9 of 12 (1524 views)
Permalink
Re: Re: Encrypted Swap on Mac OS X [In reply to]

Ouch!

I just spent an hour creating a new page on the gentoo-wiki, but I hit
control-E (in FireFox) and the my edits disappeared! Poof!

Lunch hour is over; you will all have to wait for my contribution to
the wiki. Sorry!

~ boyd

--
gentoo-osx [at] gentoo mailing list


bwaters+mac at aoc

Oct 5, 2004, 9:30 PM

Post #10 of 12 (1522 views)
Permalink
Re: Re: Encrypted Swap on Mac OS X [In reply to]

> An update on mac OS X encrypted swap with my startup script, which
> uses dynamically-sized sparseimage instead of a fixed-size image...
>

Just an update to tell you all that I DO NOT RECOMMEND the use of
encrypted swap as implemented by the scripts that I've posted so far.

I am not using it at the moment. I had too many lock-ups and crashes to
get my work done! I'll wait for Apple's next release of Tiger.

In the mean-time, I do two things:

1) I wipe any existing swap files with random data on boot-up.
Change this line in /etc/rc

rm -rf ${swapdir}/swap*

to this

srm -srf ${swapdir}/swap

You need to be administrator to make this change. Then re-boot to scrub
your swapfiles!


2) I periodically execute the "sudo strings..." command posted above.
Once I've seen my username and password appear in swap, I change my
password! I have yet to see my *changed* password appear after the
machine has been up for a while. Since I use a laptop, I generally
don't log out, I just "sleep". I've set the "require password to wake
from sleep" option, of course.

Good luck!

~ boyd

Boyd Waters
National Radio Astronomy Observatory
Socorro, New Mexico
http://www.aoc.nrao.edu/~bwaters


--
gentoo-osx [at] gentoo mailing list


lists at anderedomain

Oct 6, 2004, 3:02 AM

Post #11 of 12 (1521 views)
Permalink
Re: Re: Encrypted Swap on Mac OS X [In reply to]

On 6. Oct 2004, at 6:30 Uhr, Boyd Waters wrote:
>
> 2) I periodically execute the "sudo strings..." command posted above.
> Once I've seen my username and password appear in swap, I change my
> password! I have yet to see my *changed* password appear after the
> machine has been up for a while. Since I use a laptop, I generally
> don't log out, I just "sleep". I've set the "require password to wake
> from sleep" option, of course.
>

What was that sudo strings.... again?


--
gentoo-osx [at] gentoo mailing list


bwaters+mac at aoc

Oct 6, 2004, 7:21 AM

Post #12 of 12 (1527 views)
Permalink
Re: Re: Encrypted Swap on Mac OS X [In reply to]

sudo strings -8 /var/vm/swapfile* |grep -A 4 -i longname

>> 2) I periodically execute the "sudo strings..." command posted above.
>> Once I've seen my username and password appear in swap, I change my
>> password!


--
gentoo-osx [at] gentoo mailing list

Gentoo osx RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.