crypt_reboot 0.2.0 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -0
- data/README.md +29 -13
- data/lib/crypt_reboot/elastic_memory_locker.rb +7 -14
- data/lib/crypt_reboot/version.rb +1 -1
- data/lib/crypt_reboot.rb +0 -1
- metadata +21 -7
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6ec1b79f3b99fddc49e170693df471d0eebc44af064787cb29b2694985a91418
|
|
4
|
+
data.tar.gz: e3fa5ac025fc7ea7544a6e4c6d9db1f5894a0da44b6c39d07689a7594c0fc714
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 8aebba8307469fc4cba898f0c3427b4c6242e7f90dea985b33a72e89e13ee7e0854b232870b1afaea518c92eee03dca8c32d4c1f956a6da2e6cd55adae67f07e
|
|
7
|
+
data.tar.gz: 56d86831971b547b4d1856b426dafac2a77bffa23fd8ced861908902ce969186be52710e92dd50ec01242c77133d77439a088a651626dd9e8ce2977ce136483a
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,12 @@
|
|
|
1
|
+
## [0.2.1] - 2023-11-12
|
|
2
|
+
|
|
3
|
+
- use new MemoryLocker without a need for FFI compilation step
|
|
4
|
+
|
|
5
|
+
## [0.2.0] - 2023-07-29
|
|
6
|
+
|
|
7
|
+
- Make memory locking optional with `--insecure-memory` command line option
|
|
8
|
+
- Remove FFI gem dependency
|
|
9
|
+
|
|
1
10
|
## [0.1.2] - 2023-07-22
|
|
2
11
|
|
|
3
12
|
- Lock memory to prevent secrets leaking to swap
|
data/README.md
CHANGED
|
@@ -7,7 +7,8 @@ Convenient reboot for Linux systems with encrypted root partition.
|
|
|
7
7
|
> Just type `cryptreboot` instead of `reboot`.
|
|
8
8
|
|
|
9
9
|
It asks for a passphrase and reboots the system afterward, automatically
|
|
10
|
-
unlocking the drive on startup using
|
|
10
|
+
unlocking the drive on startup using
|
|
11
|
+
[in-memory initramfs patching and kexec](https://blog.pawelpokrywka.com/p/rebooting-linux-with-encrypted-disk).
|
|
11
12
|
Without explicit consent, no secrets are stored on disk, even temporarily.
|
|
12
13
|
|
|
13
14
|
Useful when unlocking the drive at startup is difficult, such as on headless
|
|
@@ -36,7 +37,8 @@ Following distributions were tested by the author on the AMD64 machine:
|
|
|
36
37
|
- Ubuntu 22.04 LTS
|
|
37
38
|
- Ubuntu 20.04 LTS needs tiny adjustments to system settings,
|
|
38
39
|
specifically [changing compression](#lz4-initramfs-compression) and
|
|
39
|
-
[fixing systemd kexec support](#staged-kernel-not-being-executed-by-systemd)
|
|
40
|
+
[fixing systemd kexec support](#staged-kernel-not-being-executed-by-systemd), but still
|
|
41
|
+
[sometimes](#unable-to-kexec-on-reboot-using-old-systemd) reboot experience may be suboptimal
|
|
40
42
|
- ~~Ubuntu 18.04 LTS~~ is not supported (initramfs uses *pre-crypttab* format)
|
|
41
43
|
|
|
42
44
|
If you have successfully run cryptreboot on another distribution,
|
|
@@ -65,14 +67,6 @@ If you use Debian-based distribution, use this command to install required packa
|
|
|
65
67
|
When asked if kexec should handle reboots, answer `yes` (however the answer probably
|
|
66
68
|
doesn't matter for cryptreboot to work).
|
|
67
69
|
|
|
68
|
-
## Recommendations
|
|
69
|
-
|
|
70
|
-
To protects against saving sensitive data (passphrase, encryption keys) to swap space on a disk, it is recommended to use `memory_locker` ([Rubygems](https://rubygems.org/gems/memory_locker), [Github](https://github.com/phantom-node/memory_locker)).
|
|
71
|
-
|
|
72
|
-
$ sudo gem install memory_locker
|
|
73
|
-
|
|
74
|
-
If you don't want to install it, you will have to specify `--insecure-memory` flag when running cryptreboot.
|
|
75
|
-
|
|
76
70
|
## Installation
|
|
77
71
|
|
|
78
72
|
Make sure the required software is installed, then install the gem system-wide by executing:
|
|
@@ -180,12 +174,34 @@ If you get:
|
|
|
180
174
|
|
|
181
175
|
it means there was an error while locking memory to prevent a risk of sensitive data ending in a swap space.
|
|
182
176
|
|
|
183
|
-
|
|
184
|
-
If
|
|
185
|
-
If the problem persists, then please report a bug describing your setup.
|
|
177
|
+
Make sure you have permission to lock memory. Root users have.
|
|
178
|
+
If permissions are ok, then please report a bug describing your setup.
|
|
186
179
|
|
|
187
180
|
The solution of last resort is to use `--insecure-memory` flag, which disables memory locking completely.
|
|
188
181
|
|
|
182
|
+
### Unable to kexec on reboot using old systemd
|
|
183
|
+
|
|
184
|
+
Ubuntu 20.04 ships with `systemd` which may fall back to standard reboot instead of using `kexec`, because this utility
|
|
185
|
+
is located on a filesystem being unmounted during the shutdown sequence.
|
|
186
|
+
|
|
187
|
+
As a result, using cryptreboot would feel like using normal reboot.
|
|
188
|
+
|
|
189
|
+
To tell if your system is affected, you have to check messages printed to the console after you run cryptreboot.
|
|
190
|
+
This message happens just before reboot, so you will have just a few milliseconds to notice it on screen:
|
|
191
|
+
|
|
192
|
+
> shutdown[1]: (sd-kexec) failed with exit status 1
|
|
193
|
+
|
|
194
|
+
[There is a fix](https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1969365) waiting to be included in
|
|
195
|
+
a stable release update to `systemd` since 2023-07-21.
|
|
196
|
+
|
|
197
|
+
In the meantime, as a workaround, you can use `kexec` directly. **Warning: it will skip the standard shutdown procedure. Filesystems won't be unmounted, services won't be stopped, etc. It is like hitting `reset` button**.
|
|
198
|
+
However, when you use a decent filesystem with journalling the risk of things going bad should not be high.
|
|
199
|
+
|
|
200
|
+
Given the above warning, to reboot skipping the shutdown procedure, run:
|
|
201
|
+
|
|
202
|
+
$ sudo cryptreboot -p
|
|
203
|
+
$ sudo kexec -e # will skip proper shutdown sequence
|
|
204
|
+
|
|
189
205
|
## Development
|
|
190
206
|
|
|
191
207
|
After checking out the repo, run `bundle install` to install
|
|
@@ -1,5 +1,7 @@
|
|
|
1
1
|
# frozen_string_literal: true
|
|
2
2
|
|
|
3
|
+
require 'memory_locker' unless defined? MemoryLocker # MemoryLocker is mocked in tests
|
|
4
|
+
|
|
3
5
|
module CryptReboot
|
|
4
6
|
# Try to lock memory if configuration allows it
|
|
5
7
|
class ElasticMemoryLocker
|
|
@@ -8,10 +10,9 @@ module CryptReboot
|
|
|
8
10
|
def call
|
|
9
11
|
return if skip_locking?
|
|
10
12
|
|
|
11
|
-
loader.call
|
|
12
13
|
locker.call
|
|
13
14
|
nil
|
|
14
|
-
rescue
|
|
15
|
+
rescue locking_error => e
|
|
15
16
|
raise LockingError, 'Failed to lock memory', cause: e
|
|
16
17
|
end
|
|
17
18
|
|
|
@@ -21,22 +22,14 @@ module CryptReboot
|
|
|
21
22
|
insecure_memory_checker.call
|
|
22
23
|
end
|
|
23
24
|
|
|
24
|
-
|
|
25
|
-
lazy_locking_error.call
|
|
26
|
-
end
|
|
27
|
-
|
|
28
|
-
attr_reader :insecure_memory_checker, :loader, :load_error, :locker, :lazy_locking_error
|
|
25
|
+
attr_reader :insecure_memory_checker, :locker, :locking_error
|
|
29
26
|
|
|
30
27
|
def initialize(insecure_memory_checker: LazyConfig.insecure_memory,
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
locker: -> { MemoryLocker.call },
|
|
34
|
-
lazy_locking_error: -> { MemoryLocker::Error })
|
|
28
|
+
locker: MemoryLocker,
|
|
29
|
+
locking_error: MemoryLocker::Error)
|
|
35
30
|
@insecure_memory_checker = insecure_memory_checker
|
|
36
|
-
@loader = loader
|
|
37
|
-
@load_error = load_error
|
|
38
31
|
@locker = locker
|
|
39
|
-
@
|
|
32
|
+
@locking_error = locking_error
|
|
40
33
|
end
|
|
41
34
|
end
|
|
42
35
|
end
|
data/lib/crypt_reboot/version.rb
CHANGED
data/lib/crypt_reboot.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: crypt_reboot
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Paweł Pokrywka
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-11-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: tty-command
|
|
@@ -38,7 +38,21 @@ dependencies:
|
|
|
38
38
|
- - "~>"
|
|
39
39
|
- !ruby/object:Gem::Version
|
|
40
40
|
version: '0.3'
|
|
41
|
-
|
|
41
|
+
- !ruby/object:Gem::Dependency
|
|
42
|
+
name: memory_locker
|
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
|
44
|
+
requirements:
|
|
45
|
+
- - "~>"
|
|
46
|
+
- !ruby/object:Gem::Version
|
|
47
|
+
version: 1.0.3
|
|
48
|
+
type: :runtime
|
|
49
|
+
prerelease: false
|
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
51
|
+
requirements:
|
|
52
|
+
- - "~>"
|
|
53
|
+
- !ruby/object:Gem::Version
|
|
54
|
+
version: 1.0.3
|
|
55
|
+
description:
|
|
42
56
|
email:
|
|
43
57
|
- pepawel@users.noreply.github.com
|
|
44
58
|
executables:
|
|
@@ -117,7 +131,7 @@ metadata:
|
|
|
117
131
|
source_code_uri: https://github.com/phantom-node/cryptreboot
|
|
118
132
|
changelog_uri: https://github.com/phantom-node/cryptreboot/blob/master/CHANGELOG.md
|
|
119
133
|
rubygems_mfa_required: 'true'
|
|
120
|
-
post_install_message:
|
|
134
|
+
post_install_message:
|
|
121
135
|
rdoc_options: []
|
|
122
136
|
require_paths:
|
|
123
137
|
- lib
|
|
@@ -132,8 +146,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
132
146
|
- !ruby/object:Gem::Version
|
|
133
147
|
version: '0'
|
|
134
148
|
requirements: []
|
|
135
|
-
rubygems_version: 3.
|
|
136
|
-
signing_key:
|
|
149
|
+
rubygems_version: 3.2.22
|
|
150
|
+
signing_key:
|
|
137
151
|
specification_version: 4
|
|
138
152
|
summary: Linux utility for automatic and secure unlocking of encrypted disks on reboot
|
|
139
153
|
test_files: []
|