meta data for this page
  •  

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux:fs:encrypted_swap [2025/03/23 08:52] niziaklinux:fs:encrypted_swap [2025/03/24 08:27] (current) niziak
Line 3: Line 3:
 <code bash> <code bash>
 apt install cryptsetup apt install cryptsetup
 +
 </code> </code>
  
 ===== auto create ===== ===== auto create =====
  
-Auto create encrypted swap with random key for every boot. Problem is that given block device will be filled with random data +Auto create encrypted swap with random key for every boot. Problem is that given block device will be filled with random data when swap is created.  
-when swap is created. So label / UUID is lost for next reboot. Need to use direct device names or use symlinks like ''/dev/disk/by-id/...'' +So label / UUID is lost for next reboot. Need to use direct device names or use symlinks like ''/dev/disk/by-id/'' which can be also unsafe and can hit another partition.
-which can be also unsafe and can hit another partition.+
  
-Workaround: +Workaround: Put LABEL / UUID once on block device and leave small gap before real swap data to do not overwrite FS signature:
-Put LABEL / UUID once on block device and leave small gap before real swap data to do not overwrite FS signature:+
  
 <code bash> <code bash>
Line 18: Line 17:
 blkid /dev/nvme0n1p3 blkid /dev/nvme0n1p3
 dev/nvme0n1p3: LABEL="cryptswap2" UUID="6b1b9a70-f50d-4d29-b3c6-6c7e2b819f39" ... dev/nvme0n1p3: LABEL="cryptswap2" UUID="6b1b9a70-f50d-4d29-b3c6-6c7e2b819f39" ...
 +
 </code> </code>
  
 Note: ''offset'' below is counted in sectors of 512B. Note: ''offset'' below is counted in sectors of 512B.
  
-<file /etc/crypttab> +<file ini /etc/crypttab> 
-swap2      LABEL=cryptswap2    /dev/urandom   swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096+swap2      LABEL=cryptswap2    /dev/urandom   swap,offset=2048,cipher=aes-xts-plain64,size=512,sector-size=4096,discard 
 </file> </file>
 +
 +Apply ''crypttab'' changes:
 +<code bash>
 +systemctl daemon-reload
 +systemctl restart cryptsetup.target
 +
 +</code>
 +
 +<file ini /etc/fstab>
 +/dev/mapper/swap2  none   swap    defaults,discard=once         0
 +
 +</file>
 +
 +NOTE: ''discard'' on encrypted device has security implications!
 +