Auto crypting of swap now possible w/ fstab option in master

Tim Darby t+dfbsd at timdarby.net
Sat May 16 14:15:46 PDT 2015


Thanks Matt, this is a really nice improvement! I'll try it when I get back
from vacation next week.

Tim

On Sat, May 16, 2015 at 2:04 PM, Matthew Dillon <dillon at apollo.backplane.com
> wrote:

> A more sophisticated encrypted swap using LUKS was already available and
> could be set up via the installer, capable of encrypting swap and dumps.
> Manual configuration through luks is a bit messy though.
>
> This feature provides a simpler way to just encrypt swap with a random key
> via /etc/fstab, perhaps as a preface to potentially implementing more
> sophisticated crypto features in /etc/fstab in the future that use dm-crypt
> directly and bypass LUKS.
>
> The master branch now has experimental automatic crypting of swap
> available.
> If using master, simply recompile and reinstall the /usr/src/sbin/swapon
> utility and then specify 'crypt' as a swap option in your /etc/fstab.
> For example:
>
>     # Device            Mountpoint      FStype  Options         Dump
> Pass#
>     /dev/da0s1b         none            swap    sw,crypt,trim   0       0
>
> This will cause the appropriate /dev/mapper/swap-* crypto device to be
> created
> and swap operations to automatically be encrypted with a random key on
> boot.
>
> Note that this features doesn't help with kernel dumps since a random key
> is used on each boot.  Kernel dumps can still be used, unsecured, by
> specifying the base device (e.g. /dev/da0s1b) for dumpon.
>
> This feature is considered experimental for the moment as it has not yet
> been
> validated for low-memory or swapcache operation.  But it should work well.
>
>                                         -Matt
>                                         Matthew Dillon
>                                         <dillon at backplane.com>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dragonflybsd.org/pipermail/users/attachments/20150516/e2a2fed5/attachment-0007.html>


More information about the Users mailing list