I encrypt the swap on all my Linux systems. Processes may contain sensitive information, such as keys and passwords, that are usually stored in memory as that program runs. There is the potential for that sensitive data to be written to swap. On my systems, my primary concern is the passphrase I use with TrueCrypt. There is a slim possibility that a thief could steal my systems and decrypt my drives by analysing the swap space.
Setting up swap encryption is very easy.
- Turn off swap with ‘swapoff -a‘
- Setup /etc/crypttab for encryption with a randomly generated key from /dev/urandom. You can use /dev/random for better random entropy, but it will extend the bootup time by several minutes. Read the urandom manual page if you don’t know the difference. Make sure you replace /dev/mapper/fedora_goemon-swap with your swap partition.
cryptoswap /dev/mapper/fedora_goemon-swap /dev/urandom cipher=aes-cbc-essiv:sha256,hash=sha256,swap
- Add the cryptoswap to /etc/fstab
/dev/mapper/cryptoswap swap swap defaults 0 0
- You can either reboot and you’re all set or you can activate the encrypted swap immediately:
cryptsetup -d /dev/urandom create cryptoswap /dev/mapper/fedora_goemon-swap