1
This document describes how to configure an encrypted swap partition
2
on Debian systems. An encrypted swap partition prevents spying on
3
plaintext secrets (passwords) that may be written to disk when memory
6
First deactivate your swap: swapoff -a
8
Your /etc/fstab file should have a swap entry like this (/dev/hda9
9
might be a different partition on your system):
10
# <file system> <mount point> <type> <options> <dump> <pass>
11
/dev/hda9 none swap sw 0 0
13
Now just replace /dev/hda9 (or whatever your swap partition is)
14
with the new device name /dev/mapper/cswap:
15
# <file system> <mount point> <type> <options> <dump> <pass>
16
/dev/mapper/cswap none swap sw 0 0
18
After that add an entry in /etc/crypttab (replace /dev/hda9 with
19
your own swap partition):
20
# <target name> <source device> <key file> <options>
21
cswap /dev/hda9 /dev/random swap,cipher=aes-cbc-plain,size=128,hash=ripemd160
23
Now start your crypted device: /etc/init.d/cryptdisks start
24
And reactivate your swap: swapon -a
26
Thats it! You have a crypted swap device. Note that the
27
/dev/random device might not generate enough random bytes, so the boot
28
process can wait indefinitely unless you press some keys on your
29
keyboard. To be sure that booting is not interrupted, use the (less
30
secure) /dev/urandom device instead.
32
Read the crypttab(5) manpage for more information, for example options
33
to use a different encryption algorithm than the default.