~siretart/cryptsetup/debian

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
This document describes how to configure an encrypted swap partition
on Debian systems. An encrypted swap partition prevents spying on
plaintext secrets (passwords) that may be written to disk when memory
is swapped to disk.

First deactivate your swap: swapoff -a

Your /etc/fstab file should have a swap entry like this (/dev/hda9
might be a different partition on your system):
# <file system> <mount point>   <type>  <options>     <dump>  <pass>
/dev/hda9        none           swap    sw            0       0

Now just replace /dev/hda9 (or whatever your swap partition is)
with the new device name /dev/mapper/cswap:
# <file system> <mount point>   <type>  <options>     <dump>  <pass>
/dev/mapper/cswap  none         swap    sw            0       0

After that add an entry in /etc/crypttab (replace /dev/hda9 with
your own swap partition):
# <target name> <source device>	<key file>	<options>
cswap		/dev/hda9	/dev/random	swap,cipher=aes-cbc-plain,size=128,hash=ripemd160

Now start your crypted device:  /etc/init.d/cryptdisks start
And reactivate your swap:       swapon -a

Thats it! You have a crypted swap device. Note that the
/dev/random device might not generate enough random bytes, so the boot
process can wait indefinitely unless you press some keys on your
keyboard. To be sure that booting is not interrupted, use the (less
secure) /dev/urandom device instead.

Read the crypttab(5) manpage for more information, for example options
to use a different encryption algorithm than the default.

-- Bastian Kleineidam <calvin@debian.org>