I just learned about this, it is very simple and secure.
Swap is only there to store overflow memory during boot. A reboot should not keep any swap. Aka, swap needs to be encrypted.
If it isnt, even if you dont encrypt your disk, stuff like decrypted password databases stored in memory could overflow to swap and cause data leaks.
The setup
- format a swap partition with a simple linux filesystem. It should have no CoW, checksumming, journaling etc, as these cause slowdowns and make no sense for swap
- examples: EXT2, maybe F2FS too. Others work too but are less performant.
- encrypt swap with dm-crypt on every boot, using a random key from /dev/urandom. This ensures password strength and avoids cracking the swap in the future, as the key always changes!
It is so easy.
Use such a file, in /etc/dmcrypt
https://codeberg.org/Inferencium/cfg/src/branch/stable/aa000-0/dmcrypt
# Inferencium - aa000-0
# dm-crypt - Configuration
# Version: 3.0.0
# Copyright 2023 Jake Winters
# SPDX-License-Identifier: BSD-3-Clause
# Global
## How long to wait for each timeout (in seconds)
dmcrypt_key_timeout="1"
## Max number of checks to perform (see dmcrypt_key_timeout)
#dmcrypt_max_timeout="300"
# Number of password retries
dmcrypt_retries="5"
# swap
## These should come first so no keys make their way into unencrypted swap.
swap="swap"
source="PARTUUID=[REDACTED]"
options="--offset 2048 --cipher aes-xts-plain64 --key-size 512 --key-file /dev/urandom"
In /etc/fstab, the linux partition should be registered as swap. zram (zstd compressed swap) should also work. This will ensure that the partition is mounted to be used as swap.
I am not sure about the implementation yet, but it is a simple and important fix
I just learned about this, it is very simple and secure.
Swap is only there to store overflow memory during boot. A reboot should not keep any swap. Aka, swap needs to be encrypted.
If it isnt, even if you dont encrypt your disk, stuff like decrypted password databases stored in memory could overflow to swap and cause data leaks.
### The setup
- format a swap partition with a simple linux filesystem. It should have no CoW, checksumming, journaling etc, as these cause slowdowns and make no sense for swap
- examples: EXT2, maybe F2FS too. Others work too but are less performant.
- encrypt swap with dm-crypt on every boot, using a random key from /dev/urandom. This ensures password strength and avoids cracking the swap in the future, as the key always changes!
It is so easy.
Use such a file, in `/etc/dmcrypt`
https://codeberg.org/Inferencium/cfg/src/branch/stable/aa000-0/dmcrypt
```
# Inferencium - aa000-0
# dm-crypt - Configuration
# Version: 3.0.0
# Copyright 2023 Jake Winters
# SPDX-License-Identifier: BSD-3-Clause
# Global
## How long to wait for each timeout (in seconds)
dmcrypt_key_timeout="1"
## Max number of checks to perform (see dmcrypt_key_timeout)
#dmcrypt_max_timeout="300"
# Number of password retries
dmcrypt_retries="5"
# swap
## These should come first so no keys make their way into unencrypted swap.
swap="swap"
source="PARTUUID=[REDACTED]"
options="--offset 2048 --cipher aes-xts-plain64 --key-size 512 --key-file /dev/urandom"
```
In /etc/fstab, the linux partition should be registered as swap. zram (zstd compressed swap) should also work. This will ensure that the partition is mounted to be used as swap.
---
I am not sure about the implementation yet, but it is a simple and important fix