crypt_reboot 0.2.0 → 0.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -0
- data/README.md +29 -13
- data/lib/crypt_reboot/elastic_memory_locker.rb +7 -14
- data/lib/crypt_reboot/version.rb +1 -1
- data/lib/crypt_reboot.rb +0 -1
- metadata +21 -7
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6ec1b79f3b99fddc49e170693df471d0eebc44af064787cb29b2694985a91418
|
4
|
+
data.tar.gz: e3fa5ac025fc7ea7544a6e4c6d9db1f5894a0da44b6c39d07689a7594c0fc714
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 8aebba8307469fc4cba898f0c3427b4c6242e7f90dea985b33a72e89e13ee7e0854b232870b1afaea518c92eee03dca8c32d4c1f956a6da2e6cd55adae67f07e
|
7
|
+
data.tar.gz: 56d86831971b547b4d1856b426dafac2a77bffa23fd8ced861908902ce969186be52710e92dd50ec01242c77133d77439a088a651626dd9e8ce2977ce136483a
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,12 @@
|
|
1
|
+
## [0.2.1] - 2023-11-12
|
2
|
+
|
3
|
+
- use new MemoryLocker without a need for FFI compilation step
|
4
|
+
|
5
|
+
## [0.2.0] - 2023-07-29
|
6
|
+
|
7
|
+
- Make memory locking optional with `--insecure-memory` command line option
|
8
|
+
- Remove FFI gem dependency
|
9
|
+
|
1
10
|
## [0.1.2] - 2023-07-22
|
2
11
|
|
3
12
|
- Lock memory to prevent secrets leaking to swap
|
data/README.md
CHANGED
@@ -7,7 +7,8 @@ Convenient reboot for Linux systems with encrypted root partition.
|
|
7
7
|
> Just type `cryptreboot` instead of `reboot`.
|
8
8
|
|
9
9
|
It asks for a passphrase and reboots the system afterward, automatically
|
10
|
-
unlocking the drive on startup using
|
10
|
+
unlocking the drive on startup using
|
11
|
+
[in-memory initramfs patching and kexec](https://blog.pawelpokrywka.com/p/rebooting-linux-with-encrypted-disk).
|
11
12
|
Without explicit consent, no secrets are stored on disk, even temporarily.
|
12
13
|
|
13
14
|
Useful when unlocking the drive at startup is difficult, such as on headless
|
@@ -36,7 +37,8 @@ Following distributions were tested by the author on the AMD64 machine:
|
|
36
37
|
- Ubuntu 22.04 LTS
|
37
38
|
- Ubuntu 20.04 LTS needs tiny adjustments to system settings,
|
38
39
|
specifically [changing compression](#lz4-initramfs-compression) and
|
39
|
-
[fixing systemd kexec support](#staged-kernel-not-being-executed-by-systemd)
|
40
|
+
[fixing systemd kexec support](#staged-kernel-not-being-executed-by-systemd), but still
|
41
|
+
[sometimes](#unable-to-kexec-on-reboot-using-old-systemd) reboot experience may be suboptimal
|
40
42
|
- ~~Ubuntu 18.04 LTS~~ is not supported (initramfs uses *pre-crypttab* format)
|
41
43
|
|
42
44
|
If you have successfully run cryptreboot on another distribution,
|
@@ -65,14 +67,6 @@ If you use Debian-based distribution, use this command to install required packa
|
|
65
67
|
When asked if kexec should handle reboots, answer `yes` (however the answer probably
|
66
68
|
doesn't matter for cryptreboot to work).
|
67
69
|
|
68
|
-
## Recommendations
|
69
|
-
|
70
|
-
To protects against saving sensitive data (passphrase, encryption keys) to swap space on a disk, it is recommended to use `memory_locker` ([Rubygems](https://rubygems.org/gems/memory_locker), [Github](https://github.com/phantom-node/memory_locker)).
|
71
|
-
|
72
|
-
$ sudo gem install memory_locker
|
73
|
-
|
74
|
-
If you don't want to install it, you will have to specify `--insecure-memory` flag when running cryptreboot.
|
75
|
-
|
76
70
|
## Installation
|
77
71
|
|
78
72
|
Make sure the required software is installed, then install the gem system-wide by executing:
|
@@ -180,12 +174,34 @@ If you get:
|
|
180
174
|
|
181
175
|
it means there was an error while locking memory to prevent a risk of sensitive data ending in a swap space.
|
182
176
|
|
183
|
-
|
184
|
-
If
|
185
|
-
If the problem persists, then please report a bug describing your setup.
|
177
|
+
Make sure you have permission to lock memory. Root users have.
|
178
|
+
If permissions are ok, then please report a bug describing your setup.
|
186
179
|
|
187
180
|
The solution of last resort is to use `--insecure-memory` flag, which disables memory locking completely.
|
188
181
|
|
182
|
+
### Unable to kexec on reboot using old systemd
|
183
|
+
|
184
|
+
Ubuntu 20.04 ships with `systemd` which may fall back to standard reboot instead of using `kexec`, because this utility
|
185
|
+
is located on a filesystem being unmounted during the shutdown sequence.
|
186
|
+
|
187
|
+
As a result, using cryptreboot would feel like using normal reboot.
|
188
|
+
|
189
|
+
To tell if your system is affected, you have to check messages printed to the console after you run cryptreboot.
|
190
|
+
This message happens just before reboot, so you will have just a few milliseconds to notice it on screen:
|
191
|
+
|
192
|
+
> shutdown[1]: (sd-kexec) failed with exit status 1
|
193
|
+
|
194
|
+
[There is a fix](https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1969365) waiting to be included in
|
195
|
+
a stable release update to `systemd` since 2023-07-21.
|
196
|
+
|
197
|
+
In the meantime, as a workaround, you can use `kexec` directly. **Warning: it will skip the standard shutdown procedure. Filesystems won't be unmounted, services won't be stopped, etc. It is like hitting `reset` button**.
|
198
|
+
However, when you use a decent filesystem with journalling the risk of things going bad should not be high.
|
199
|
+
|
200
|
+
Given the above warning, to reboot skipping the shutdown procedure, run:
|
201
|
+
|
202
|
+
$ sudo cryptreboot -p
|
203
|
+
$ sudo kexec -e # will skip proper shutdown sequence
|
204
|
+
|
189
205
|
## Development
|
190
206
|
|
191
207
|
After checking out the repo, run `bundle install` to install
|
@@ -1,5 +1,7 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
+
require 'memory_locker' unless defined? MemoryLocker # MemoryLocker is mocked in tests
|
4
|
+
|
3
5
|
module CryptReboot
|
4
6
|
# Try to lock memory if configuration allows it
|
5
7
|
class ElasticMemoryLocker
|
@@ -8,10 +10,9 @@ module CryptReboot
|
|
8
10
|
def call
|
9
11
|
return if skip_locking?
|
10
12
|
|
11
|
-
loader.call
|
12
13
|
locker.call
|
13
14
|
nil
|
14
|
-
rescue
|
15
|
+
rescue locking_error => e
|
15
16
|
raise LockingError, 'Failed to lock memory', cause: e
|
16
17
|
end
|
17
18
|
|
@@ -21,22 +22,14 @@ module CryptReboot
|
|
21
22
|
insecure_memory_checker.call
|
22
23
|
end
|
23
24
|
|
24
|
-
|
25
|
-
lazy_locking_error.call
|
26
|
-
end
|
27
|
-
|
28
|
-
attr_reader :insecure_memory_checker, :loader, :load_error, :locker, :lazy_locking_error
|
25
|
+
attr_reader :insecure_memory_checker, :locker, :locking_error
|
29
26
|
|
30
27
|
def initialize(insecure_memory_checker: LazyConfig.insecure_memory,
|
31
|
-
|
32
|
-
|
33
|
-
locker: -> { MemoryLocker.call },
|
34
|
-
lazy_locking_error: -> { MemoryLocker::Error })
|
28
|
+
locker: MemoryLocker,
|
29
|
+
locking_error: MemoryLocker::Error)
|
35
30
|
@insecure_memory_checker = insecure_memory_checker
|
36
|
-
@loader = loader
|
37
|
-
@load_error = load_error
|
38
31
|
@locker = locker
|
39
|
-
@
|
32
|
+
@locking_error = locking_error
|
40
33
|
end
|
41
34
|
end
|
42
35
|
end
|
data/lib/crypt_reboot/version.rb
CHANGED
data/lib/crypt_reboot.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: crypt_reboot
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Paweł Pokrywka
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-
|
11
|
+
date: 2023-11-12 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: tty-command
|
@@ -38,7 +38,21 @@ dependencies:
|
|
38
38
|
- - "~>"
|
39
39
|
- !ruby/object:Gem::Version
|
40
40
|
version: '0.3'
|
41
|
-
|
41
|
+
- !ruby/object:Gem::Dependency
|
42
|
+
name: memory_locker
|
43
|
+
requirement: !ruby/object:Gem::Requirement
|
44
|
+
requirements:
|
45
|
+
- - "~>"
|
46
|
+
- !ruby/object:Gem::Version
|
47
|
+
version: 1.0.3
|
48
|
+
type: :runtime
|
49
|
+
prerelease: false
|
50
|
+
version_requirements: !ruby/object:Gem::Requirement
|
51
|
+
requirements:
|
52
|
+
- - "~>"
|
53
|
+
- !ruby/object:Gem::Version
|
54
|
+
version: 1.0.3
|
55
|
+
description:
|
42
56
|
email:
|
43
57
|
- pepawel@users.noreply.github.com
|
44
58
|
executables:
|
@@ -117,7 +131,7 @@ metadata:
|
|
117
131
|
source_code_uri: https://github.com/phantom-node/cryptreboot
|
118
132
|
changelog_uri: https://github.com/phantom-node/cryptreboot/blob/master/CHANGELOG.md
|
119
133
|
rubygems_mfa_required: 'true'
|
120
|
-
post_install_message:
|
134
|
+
post_install_message:
|
121
135
|
rdoc_options: []
|
122
136
|
require_paths:
|
123
137
|
- lib
|
@@ -132,8 +146,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
132
146
|
- !ruby/object:Gem::Version
|
133
147
|
version: '0'
|
134
148
|
requirements: []
|
135
|
-
rubygems_version: 3.
|
136
|
-
signing_key:
|
149
|
+
rubygems_version: 3.2.22
|
150
|
+
signing_key:
|
137
151
|
specification_version: 4
|
138
152
|
summary: Linux utility for automatic and secure unlocking of encrypted disks on reboot
|
139
153
|
test_files: []
|