====== encrypted SWAP ======

<code bash>
apt install cryptsetup

</code>

===== auto create =====

Auto create encrypted swap with random key for every boot. Problem is that given block device will be filled with random data when swap is created. 
So label / UUID is lost for next reboot. Need to use direct device names or use symlinks like ''/dev/disk/by-id/…'' which can be also unsafe and can hit another partition.

Workaround: Put LABEL / UUID once on block device and leave small gap before real swap data to do not overwrite FS signature:

<code bash>
mkfs.ext2 -L cryptswap2 /dev/nvme0n1p3 1M
blkid /dev/nvme0n1p3
dev/nvme0n1p3: LABEL="cryptswap2" UUID="6b1b9a70-f50d-4d29-b3c6-6c7e2b819f39" ...

</code>

Note: ''offset'' below is counted in sectors of 512B.

<file ini /etc/crypttab>
swap2      LABEL=cryptswap2    /dev/urandom   swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard

</file>

Apply ''crypttab'' changes:
<code bash>
systemctl daemon-reload
systemctl restart cryptsetup.target

</code>

<file ini /etc/fstab>
/dev/mapper/swap2  none   swap    defaults,discard=once   0       0

</file>

NOTE: ''discard'' on encrypted device has security implications!