Configuring disk swapping
Configure the operating system to protect data in swap files.
IBM® Safer Payments is designed not to be swapped out by the operating system. However, the operating system itself determines whether IBM Safer Payments memory is swapped to disk.
If IBM Safer Payments memory is swapped out to disk, PAN data that is decrypted in RAM might temporarily be written to the swap file on disk. You must wipe all swap data securely after each new system restart or use an encrypted swap disk. You must also disable indexing of file contents.
For more information about decreasing the swappiness of the system, see Decreasing swappiness.
Wipe swap disk script
Note: Use this approach only, if swap disk encryption is not possible for certain reasons.
- To find out the correct path of your swap disk partition enter:
# fdisk -l# cat /proc/swaps
- If you have your swap partition name, write a short script that runs on every startup by using
sswap, where /dev/sdaX must be replaced by the path that is
shown in the previous step.
# swapoff /dev/sdaX # sswap -vll /dev/sdaX # swapon /dev/sdaX
- Add this code to a script. For example, to: /usr/local/sbin/wipeSwap.sh
chmod +x /usr/local/sbin/wipeSwap.sh
- Add the script name /usr/local/sbin/wipeSwap.sh at the end of your init script /etc/rc.local.
Encrypt swap disk
With this preferred approach, you do not have to wipe out your swap on each system start.
- Edit /etc/fstab to reflect the changes. Comment or delete previous swap
entries before you add the new entry.
# vim /etc/fstab /dev/mapper/swap none swap defaults 0 0
- Create a /etc/crypttab file, and add the swap
parameters.
Depending on your volume, group names, and layout, change the path to suit your needs. In most cases, you must replace only volume with the path that you commented or deleted in step 1. During startup, the encryption system then uses AES and SHA256 bit encryption with a random key. A new key is generated each time that the server is started.# vim /etc/crypttab swap /dev/volume /dev/urandom swap,cipher=aes-cbc-essiv:sha256
- Restart the server to enable swap disk encryption.
- Verify that swap disk encryption is enabled with the lsblk command.
# lsblk