While cleaning out some old files I came across notes from a project I worked on MANY years ago. In a nutshell I was working in an IT support role for an organization which had occasion to deal with "Safeguards Information" related to nuclear power plants. Sort of the same concept as military "classified" information. The data was stored on diskettes and kept locked in a security vault when not in use. If a cleared employee had need to access a file he would sign out the diskette containing the file (Word Perfect, Lotus 123, Autocad etc.) and access it on a (DOS) PC with the appropriate application then return the diskette to the vault.

When I was asked to review the situation it was immediately apparent that the potential existed for temporary files created by the applications to be stored on the hard drives of the PCs. The solution was a couple of dedicated, non-networked PCs located in the vault with the instructions that they were not to be removed from the vault before the hard drives were removed and that the drives would be removed and physically destroyed when the machines were returned to the leasing company.

Fast forward 20 years and I am experimenting with some security/privacy products on my home network. Here is what I have setup:

Ubuntu server 10.04 with a tightly restricted NFS share. The files on the NFS share are several TrueCrypt container files with the "secret" data.

A PC with Ubuntu 10.04 running VMWare Player.

A Ubuntu 11.04 virtual machine built from the alternate CD and installed on a "full encryption" LVM disk. The includes the VM's swap partition. The VM has an IP address reserved in the router DHCP. This address is the only one allowed to access the NFS share on the server. TrueCrypt is installed on the VM.

So here goes the experiment...

I start the VM and supply the pass phrase to mount the encrypted LVM disk.
I log into the VM.
I mount the NFS share on the server from the VM.
I open a TrueCrypt container file using TrurCrypt on the VM and access say an OpenOffice.org document containing "secret" data.
When I am done I close the document, close the TrueCrypt container, unmount the NFS share and shut down the VM.

And the question is... Are there any (or what are) the vulnerabilities?

As I think it through -

As TrueCrypt reads its container over the network it is pulling a blob of encrypted data over the wire. Decryption only takes place in the memory of the VM. If the network traffic was sniffed it would not contain any plain text information.

Any OO.o temp files or swap activity in the VM would be stored on the VM's disk which is encrypted. The VMWare files which store the virtual machine would contain only encrypted data as viewed from the host PC. If the physical PC was compromised, any data on the disk of the VM would not be accessible.

So the possible hole which I see involves VMWare Player swapping to the physical PC. Work in memory of the VM is not encrypted and thus a swap to the PC would not be encrypted. Does anyone know if this is correct? Any mitigation strategies come to mind? Any other vulnerabilities?

To quote Pink Floyd "are there any paranoids in the audience tonight?"

TIA,

Ken

It looks like you have put a lot of thought into this and you have covered any vulnerabilities that come to my mind.

You can encrypt a swap file or swap partition. This can be done with a random key at boot time. That will cover your swap space vulnerability.

Google "linux encrypt swap partition". There are too many listings for me to look through them all. I know I've seen some articles about encrypting swap space during system startup with a random key.

Thanks stress_junkie! I will look into encrypting JUST the swap on the physical PC. I am afraid to encrypt the whole thing as the power management never has worked correctly with Ubuntu on this machine. It will suspend OK but often will wake to find my session logged out or to find it in some phase of booting. Not sure what that would do if the underlying file system was encrypted (and I do not really want to find out.)

Ken

Given the very limited use case outlined, how about simply not having any swap?

Thanks catkin - that is a an excellent suggestion. I have 8 GB of memory on the physical PC so swap gets used very little unless I am running several VMs at the same time. At the moment I am working on encrypting the swap on a VM just for practice. If that works, and I can figure out how to get back to a non-encrypted swap, I may try it on the PC if for no other reason than to see if it makes suspend/wake any worse :-(

Ken

I have played around with encrypting the swap space on the host PC. I can enable encrypted swap and switch it back to normal swap. I can also run the PC without swap. In my current installation I have only 2 GB of swap. The physical RAM of 8 GB is more than enough for anything I am running so for the time being I simply have no swap.

While researching how to encrypt swap space, TrueCrypt etc. I came across a lot of discussion of "leakage" from applications which might leave plain text copies of data on the hard drive outside of encrypted areas - like it was something new. Same issue as I had identified in DOS 20 + years ago. Oh well...

But on that subject and my VMWare experiment... I found a page which identifies the various files used/created by VMWare http://www.vmware.com/support/ws55/d...s_in_a_vm.html I was trying to determine why an XP VM which shows 4.3 GB on its "C:\" drive was actually taking up more than 6 GB. One file which got my attention was vmname.vmem which is described as Talk about a security hole! If in fact the VM is swapping to this file and not to it's own "disk" then it would appear that the memory contents of the VM are being written to the host in the clear. I guess that to secure my environment I would have to store the VM files on an encrypted partition or in a TrueCrypt container.

Let me set a VM to no swap and see if this file is still created. I will report back.

Ken

Update - so far my testing has not been able to cause any .vmem files to be created. Perhaps they have been phased out by VMWare? I will keep an eye out for them as I run various VMs.

Ken

What are your goals here?

I guess the goal here is to see how private/secure a PC can be made short of total hard drive encryption. Suspend/wake has never worked reliably on this PC with Ubuntu - it often wakes with my login session closed. I am not sure what this would do with the whole hard drive or even just /home encrypted. I really don't want to corrupt an encrypted disk and risk loosing the whole thing. I keep sensitive data in TrueCrypt volumes (used to use PGP in Windows) which makes backup and archiving easy. But if there is leakage all over the machine... not good.

Ken

I don't think you really explained why you can't/won't encrypt the whole disk, but someone should say that this measure is not sufficient by itself. Depending upon the sophistication of anticipated attacks, information leakage can be an issue even if you encrypt the whole disk.

In any case, I think you need to clarify at least two broad areas before you can proceed.

• What kinds of uses for this laptop (not a desktop PC, correct?) do you have in mind? Possible examples include:
  • accessing while traveling a "secure" database holding sensitive personal medical information about patients at the nursing homes which you visit in order to pitch specific prescription drugs to persons treating specific patients, as part of your job as a prescription drug salesman.
  • working on a classified military project while traveling around the USA, as part of your job as an engineer with Lockheed-Martin.
• What kinds of potential threats do you wish to protect against? Possible examples include:
  • A sophisticated thief who steals your laptop might be able to use information leakage to recover login credentials from unencrypted portions of the hard drive and later steal personal medical information, or even steal proprietary information from your employer.
  • A sophisticated espionage operative who briefly gains physical access to your laptop might be able to exploit various kinds of information leakage to recover keys which could potentially be used to access the "mother lode" of information about your project.

You probably know this, but someone should say that information leakage is probably not the most urgent issue to think about when you are thinking about using a laptop to transmit sensitive information. And don't forget that currently unlucky "ordinary citizens" can be and are being targeted by the most sophisticated attackers. (The reasons why apparently cannot be discussed at LQ, so don't ask here, read a newspaper.)

In principle, your project could lead to an interesting discussion, but I am not sure it would be posssible to discuss specifics at LQ because I don't see how it would be possible to discuss defensive measures without explaining the attacks they are intended to foil. Overall, this thread seems to me to fall into the category of broad-ranging discussions of a question of the form "how could my scheme be defeated by crackers?", a category for which LQ might not be a suitable forum. No offense to LQ, since I assume that there are good reasons why the LQ rules are what they are.

Due to further extra-technological considerations (which cannot be discussed at LQ), I doubt you will find many knowledgeable persons willing to discuss specifics even outside LQ. That's just the kind of world in which we live.

I read techdirt.com on a daily basis. This is not a laptop - just my personal, home desktop I am experimenting with. Perhaps I should only access the Internet via tor and strap a thermite grenade with a short fuse on top of the hard drive

I think it is time to end this thread. I will mark it resolved.

Ken