Like the encryption of disk partitions, encryption of swap space is used to protect sensitive information. Consider an application that deals with passwords. As long as these passwords stay in physical memory, these passwords will not be written to disk and be cleared after a reboot. If FreeBSD starts swapping out memory pages to free space for other applications, the passwords may be written to the disk platters unencrypted. Encrypting swap space can be a solution for this scenario.
The gbde(8) or geli(8) encryption systems may be
used for swap encryption. Both systems use the
encswap
rc.d script.
For the remainder of this section,
ad0s1b
will be the swap
partition.
Swap partitions are not encrypted by default and should be cleared of any sensitive data before continuing. To overwrite the current swap parition with random garbage, execute the following command:
#
dd if=/dev/random of=/dev/ad0s1b
bs=1m
The .bde
suffix should be added to the
device in the respective /etc/fstab
swap
line:
The procedure for instead using geli(8) for swap
encryption is similar to that of using gbde(8). The
.eli
suffix should be added to the device
in the respective /etc/fstab
swap
line:
geli(8) uses the AES algorithm
with a key length of 128 bit by default. These defaults can
be altered by using geli_swap_flags
in
/etc/rc.conf
. The following line tells
the encswap
rc.d script to create
geli(8) swap partitions using the Blowfish algorithm with
a key length of 128 bits and a sectorsize of 4 kilobytes, and
sets “detach on last close”:
Refer to the description of
onetime
in geli(8) for a list of
possible options.
Once the system has rebooted, proper operation of the
encrypted swap can be verified using
swapinfo
.
If gbde(8) is being used:
%
swapinfo
Device 1K-blocks Used Avail Capacity
/dev/ad0s1b.bde 542720 0 542720 0%If geli(8) is being used:
%
swapinfo
Device 1K-blocks Used Avail Capacity
/dev/ad0s1b.eli 542720 0 542720 0%All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.