WTF... For some reason I was certain that encrypted swap on Linux needs some complicated setup...

In reality, you just need cryptsetup, a line in /etc/crypttab that has the "swap" attribute and uses /dev/urandom as source for an ephemeral key (swap doesn't usually need to survive reboots), and then point your swap entry in fstab to the resulting device mapper device.

See cryptsetup FAQ, 2.3 How do I set up encrypted swap, gitlab.com/cryptsetup/cryptset or the CRYPTTAB(5) man page.

Follow

@galaxis That's actually the old way of doing it. Put an LVM inside LUKS and your swap survives reboots without urandom hackery that may provide weak keys on early boot.

@hello @galaxis In addition, using random keys for swap breaks suspend to disk.

@hello Yeah, it's mostly a non-issue with full-disk encryption. But in this special case I wanted an OS that boots up without user intervention (and then provides an environment for something container-ish on encrypted storage).

Sign in to participate in the conversation
social.yahe.sh

yahe.sh is one server in the network