Auto crypting of swap now possible w/ fstab option in master
Matthew Dillon
dillon at apollo.backplane.com
Sat May 16 14:04:18 PDT 2015
A more sophisticated encrypted swap using LUKS was already available and
could be set up via the installer, capable of encrypting swap and dumps.
Manual configuration through luks is a bit messy though.
This feature provides a simpler way to just encrypt swap with a random key
via /etc/fstab, perhaps as a preface to potentially implementing more
sophisticated crypto features in /etc/fstab in the future that use dm-crypt
directly and bypass LUKS.
The master branch now has experimental automatic crypting of swap available.
If using master, simply recompile and reinstall the /usr/src/sbin/swapon
utility and then specify 'crypt' as a swap option in your /etc/fstab.
For example:
# Device Mountpoint FStype Options Dump Pass#
/dev/da0s1b none swap sw,crypt,trim 0 0
This will cause the appropriate /dev/mapper/swap-* crypto device to be created
and swap operations to automatically be encrypted with a random key on boot.
Note that this features doesn't help with kernel dumps since a random key
is used on each boot. Kernel dumps can still be used, unsecured, by
specifying the base device (e.g. /dev/da0s1b) for dumpon.
This feature is considered experimental for the moment as it has not yet been
validated for low-memory or swapcache operation. But it should work well.
-Matt
Matthew Dillon
<dillon at backplane.com>
More information about the Users
mailing list