encrypted SWAP

apt install cryptsetup

auto create

Auto create encrypted swap with random key for every boot. Problem is that given block device will be filled with random data when swap is created. So label / UUID is lost for next reboot. Need to use direct device names or use symlinks like /dev/disk/by-id/… which can be also unsafe and can hit another partition.

Workaround: Put LABEL / UUID once on block device and leave small gap before real swap data to do not overwrite FS signature:

mkfs.ext2 -L cryptswap2 /dev/nvme0n1p3 1M
blkid /dev/nvme0n1p3
dev/nvme0n1p3: LABEL="cryptswap2" UUID="6b1b9a70-f50d-4d29-b3c6-6c7e2b819f39" ...

Note: offset below is counted in sectors of 512B.

/etc/crypttab

swap2      LABEL=cryptswap2    /dev/urandom   swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard

Apply crypttab changes:

systemctl daemon-reload
systemctl restart cryptsetup.target

/etc/fstab

/dev/mapper/swap2  none   swap    defaults,discard=once   0       0

NOTE: discard on encrypted device has security implications!

Tools

menus and quick search

quick search

site status

Page Tools

meta data for this page

encrypted SWAP

auto create