<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	
	>
<channel>
	<title>
	Comments on: Automatic encryption of swap	</title>
	<atom:link href="https://www.dragonflydigest.com/2015/05/18/automatic-encryption-of-swap/feed/" rel="self" type="application/rss+xml" />
	<link>https://www.dragonflydigest.com/2015/05/18/automatic-encryption-of-swap/</link>
	<description>A running description of activity related to DragonFly BSD.</description>
	<lastBuildDate>Tue, 19 May 2015 09:10:27 +0000</lastBuildDate>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=7.0</generator>
	<item>
		<title>
		By: Kyle Amon		</title>
		<link>https://www.dragonflydigest.com/2015/05/18/automatic-encryption-of-swap/comment-page-1/#comment-344760</link>

		<dc:creator><![CDATA[Kyle Amon]]></dc:creator>
		<pubDate>Tue, 19 May 2015 09:10:27 +0000</pubDate>
		<guid isPermaLink="false">http://www.dragonflydigest.com/?p=16113#comment-344760</guid>

					<description><![CDATA[Cool.  I feel kind of responsible. ;)

The problem I had with the way the installer sets up encrypted swap is that it requires LUKS, so the key material must be entered at every boot.  While that certainly has it&#039;s place, it&#039;s not so great for remote/headless boxes.

Regarding the link to &quot;may have been possible another way,&quot; it was definitely possible another way, but not the way described there.  The way described there works fine in Linux, where crypttab(5) has support for such a method, but dfly&#039;s crypttab(5) implementation *requires* LUKS (i.e. it has zero support for plan dm-crypt).  So, to achieve random crypted swap on dfly in absence of this new, more elegant fstab feature, I had to do the following because of dfly&#039;s crypttab(5) limitations.

1) Add the noauto option to the swap partition in /etc/fstab.
2) Create /etc/rc.local containing the folowing two commands...
    cryptsetup --key-file /dev/urandom --key-size 128 create swap /dev/vbd0s1b  
    swapon /dev/mapper/swap

And note that using a key size much smaller will reliably panic dfly 4.0.5 REL.  I found that 64 bytes was quite reliable.  I jumped to 128 bytes at dillon&#039;s suggestion.  Try anthing between 64 and 128 on 4.0.5 REL or less at your own peril.  This issue should be fixed thereafter.]]></description>
			<content:encoded><![CDATA[<p>Cool.  I feel kind of responsible. ;)</p>
<p>The problem I had with the way the installer sets up encrypted swap is that it requires LUKS, so the key material must be entered at every boot.  While that certainly has it&#8217;s place, it&#8217;s not so great for remote/headless boxes.</p>
<p>Regarding the link to &#8220;may have been possible another way,&#8221; it was definitely possible another way, but not the way described there.  The way described there works fine in Linux, where crypttab(5) has support for such a method, but dfly&#8217;s crypttab(5) implementation *requires* LUKS (i.e. it has zero support for plan dm-crypt).  So, to achieve random crypted swap on dfly in absence of this new, more elegant fstab feature, I had to do the following because of dfly&#8217;s crypttab(5) limitations.</p>
<p>1) Add the noauto option to the swap partition in /etc/fstab.<br />
2) Create /etc/rc.local containing the folowing two commands&#8230;<br />
    cryptsetup &#8211;key-file /dev/urandom &#8211;key-size 128 create swap /dev/vbd0s1b<br />
    swapon /dev/mapper/swap</p>
<p>And note that using a key size much smaller will reliably panic dfly 4.0.5 REL.  I found that 64 bytes was quite reliable.  I jumped to 128 bytes at dillon&#8217;s suggestion.  Try anthing between 64 and 128 on 4.0.5 REL or less at your own peril.  This issue should be fixed thereafter.</p>
]]></content:encoded>
		
			</item>
	</channel>
</rss>
