meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
linux:fs:encrypted_swap [2025/03/23 08:41] – created niziaklinux:fs:encrypted_swap [2025/03/24 08:27] (current) niziak
Line 1: Line 1:
 ====== encrypted SWAP ====== ====== encrypted SWAP ======
  
 +<code bash>
 apt install cryptsetup apt install cryptsetup
  
-<file /etc/crypttab> +</code> 
-swap      /dev/sdX#    /dev/urandom   swap,cipher=aes-xts-plain64,size=512,sector-size=4096+ 
 +===== auto create ===== 
 + 
 +Auto create encrypted swap with random key for every boot. Problem is that given block device will be filled with random data when swap is created.  
 +So label / UUID is lost for next reboot. Need to use direct device names or use symlinks like ''/dev/disk/by-id/…'' which can be also unsafe and can hit another partition. 
 + 
 +Workaround: Put LABEL / UUID once on block device and leave small gap before real swap data to do not overwrite FS signature: 
 + 
 +<code bash> 
 +mkfs.ext2 -L cryptswap2 /dev/nvme0n1p3 1M 
 +blkid /dev/nvme0n1p3 
 +dev/nvme0n1p3: LABEL="cryptswap2" UUID="6b1b9a70-f50d-4d29-b3c6-6c7e2b819f39" ... 
 + 
 +</code> 
 + 
 +Note: ''offset'' below is counted in sectors of 512B. 
 + 
 +<file ini /etc/crypttab> 
 +swap2      LABEL=cryptswap2    /dev/urandom   swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard 
 </file> </file>
 +
 +Apply ''crypttab'' changes:
 +<code bash>
 +systemctl daemon-reload
 +systemctl restart cryptsetup.target
 +
 +</code>
 +
 +<file ini /etc/fstab>
 +/dev/mapper/swap2  none   swap    defaults,discard=once         0
 +
 +</file>
 +
 +NOTE: ''discard'' on encrypted device has security implications!
 +
 +