One Reply to “Automatic encryption of swap”

  1. Cool. I feel kind of responsible. ;)

    The problem I had with the way the installer sets up encrypted swap is that it requires LUKS, so the key material must be entered at every boot. While that certainly has it’s place, it’s not so great for remote/headless boxes.

    Regarding the link to “may have been possible another way,” it was definitely possible another way, but not the way described there. The way described there works fine in Linux, where crypttab(5) has support for such a method, but dfly’s crypttab(5) implementation *requires* LUKS (i.e. it has zero support for plan dm-crypt). So, to achieve random crypted swap on dfly in absence of this new, more elegant fstab feature, I had to do the following because of dfly’s crypttab(5) limitations.

    1) Add the noauto option to the swap partition in /etc/fstab.
    2) Create /etc/rc.local containing the folowing two commands…
    cryptsetup –key-file /dev/urandom –key-size 128 create swap /dev/vbd0s1b
    swapon /dev/mapper/swap

    And note that using a key size much smaller will reliably panic dfly 4.0.5 REL. I found that 64 bytes was quite reliable. I jumped to 128 bytes at dillon’s suggestion. Try anthing between 64 and 128 on 4.0.5 REL or less at your own peril. This issue should be fixed thereafter.

Comments are closed.