Experimental automatic crypting of swap is now available in DragonFly-master. Recently added, though it may have been possible another way.
One Reply to “Automatic encryption of swap”
Comments are closed.
A running description of activity related to DragonFly BSD.
Cool. I feel kind of responsible. ;)
The problem I had with the way the installer sets up encrypted swap is that it requires LUKS, so the key material must be entered at every boot. While that certainly has it’s place, it’s not so great for remote/headless boxes.
Regarding the link to “may have been possible another way,” it was definitely possible another way, but not the way described there. The way described there works fine in Linux, where crypttab(5) has support for such a method, but dfly’s crypttab(5) implementation *requires* LUKS (i.e. it has zero support for plan dm-crypt). So, to achieve random crypted swap on dfly in absence of this new, more elegant fstab feature, I had to do the following because of dfly’s crypttab(5) limitations.
1) Add the noauto option to the swap partition in /etc/fstab.
2) Create /etc/rc.local containing the folowing two commands…
cryptsetup –key-file /dev/urandom –key-size 128 create swap /dev/vbd0s1b
swapon /dev/mapper/swap
And note that using a key size much smaller will reliably panic dfly 4.0.5 REL. I found that 64 bytes was quite reliable. I jumped to 128 bytes at dillon’s suggestion. Try anthing between 64 and 128 on 4.0.5 REL or less at your own peril. This issue should be fixed thereafter.