Auto crypting of swap now possible w/ fstab option in master

Matthew Dillon dillon at apollo.backplane.com
Sat May 16 14:04:18 PDT 2015


A more sophisticated encrypted swap using LUKS was already available and
could be set up via the installer, capable of encrypting swap and dumps.
Manual configuration through luks is a bit messy though.

This feature provides a simpler way to just encrypt swap with a random key
via /etc/fstab, perhaps as a preface to potentially implementing more
sophisticated crypto features in /etc/fstab in the future that use dm-crypt
directly and bypass LUKS.

The master branch now has experimental automatic crypting of swap available.
If using master, simply recompile and reinstall the /usr/src/sbin/swapon
utility and then specify 'crypt' as a swap option in your /etc/fstab.
For example:

    # Device            Mountpoint      FStype  Options         Dump    Pass#
    /dev/da0s1b		none            swap    sw,crypt,trim   0	0

This will cause the appropriate /dev/mapper/swap-* crypto device to be created
and swap operations to automatically be encrypted with a random key on boot.

Note that this features doesn't help with kernel dumps since a random key
is used on each boot.  Kernel dumps can still be used, unsecured, by
specifying the base device (e.g. /dev/da0s1b) for dumpon.

This feature is considered experimental for the moment as it has not yet been
validated for low-memory or swapcache operation.  But it should work well.

					-Matt
					Matthew Dillon 
					<dillon at backplane.com>


More information about the Users mailing list