techstdout/ RamDisksEn

Ramdisks to (not) store sensitive data

  1. Context
  2. Available solutions
    1. tmpfs
    2. ramfs
  3. Conclusion
  4. Post-scriptum

Context

Particularly on a server, there are some pieces of data that need :

  • to be stored for a short period of time, in order to be able to properly admin the box ;
  • to not be stored on the hard disk, so that the aliens can not get it.

A few examples : /tmp, the Apache's ErrorLog that contain IPs, or mail.{err,log,...}.

A standard solution to this problem is to use a ramdisk. This is a volatile filesystem, i.e. it does not match any partition, and its content is lost when the box is no more electricity-powered, be it in a clean way (shutdown -h) or not (oops, I've unplugged the power cable).

Available solutions

There are two different ramdisk solutions available on GNU/Linux, both with their advantages and disadvantages in respect to the use we're talking of.

tmpfs

This one supports a few really useful mount options : uid, gid, mode, size limits in bytes and/or in inodes.

BUT ITS CONTENT CAN BE WRITTEN TO SWAP, THAT'S WHY IT'S NECESSARY, IF SUCH A RAMDISK STORES SENSITIVE DATA, TO USE AN ENCRYPTED SWAP PARTITION..

(Which is not perfect, there are pieces of data you would not want to ever be written on a hard disk, be it encrypted or not.)

/etc/fstab line example for such a ramdisk :

tmpfs /tmp tmpfs noexec,nosuid,nodev,size=100M,uid=root,gid=root,mode=1777 1 2

To end with, it's also possible, depending on your security needs, to setup an encrypted ramdisk using dm-crypt or loop-aes.

ramfs

Ramfs guarantees its content will never go to swap.

On the other hand, this filesystem does not support any of the uid, gid, mode and size limit mount options. An init script run after the ramdisk is mounted can fix the permissions, sure, but... it's possible to freeze (DoS) a box by filling it's /tmp "partition" with dumb data until the box's RAM is exhausted, which might be quite easy actually. Shit.

Conclusion

The ramfs "never go to swap" guarantee is appealing, sure, but anybody knowing you use this can easily DoS your box. So you have to choose. Most people feeling concerned by such privacy issues seem to use tmpfs with an encrypted swap partition.

Post-scriptum

Anyway, an encrypted swap partition is a must on a box that handles sensitive data. Particularly if this box rarely uses its swap, it's possible to find in a swap partition some pieces of data you'd prefer not to find there, even one year after they have been written.

When using a fixed-size ramdisk for /tmp, on a box that is rarely rebooted, don't forget to setup an automated mechanism to cleanup this directory from time to time ; a full /tmp can break tons of stuff... the tmpreaper Debian package does this, tested and approved.