19.15. Encrypting Swap Space
Prev Chapter 19. Storage Next

19.15. Encrypting Swap Space

Written by Christian Brüffer.

Like the encryption of disk partitions, encryption of swap space is used to protect sensitive information. Consider an application that deals with passwords. As long as these passwords stay in physical memory, these passwords will not be written to disk and be cleared after a reboot. If FreeBSD starts swapping out memory pages to free space for other applications, the passwords may be written to the disk platters unencrypted. Encrypting swap space can be a solution for this scenario.

The gbde(8) or geli(8) encryption systems may be used for swap encryption. Both systems use the encswap rc.d script.

Note:

For the remainder of this section, ad0s1b will be the swap partition.

Swap partitions are not encrypted by default and should be cleared of any sensitive data before continuing. To overwrite the current swap parition with random garbage, execute the following command:

# dd if=/dev/random of=/dev/ad0s1b bs=1m

19.15.1. Swap Encryption with gbde(8)

The .bde suffix should be added to the device in the respective /etc/fstab swap line:

# Device Mountpoint FStype Options Dump Pass# /dev/ad0s1b.bde none swap sw 0 0

19.15.2. Swap Encryption with geli(8)

The procedure for instead using geli(8) for swap encryption is similar to that of using gbde(8). The .eli suffix should be added to the device in the respective /etc/fstab swap line:

# Device Mountpoint FStype Options Dump Pass# /dev/ad0s1b.eli none swap sw 0 0

geli(8) uses the AES algorithm with a key length of 128 bit by default. These defaults can be altered by using geli_swap_flags in /etc/rc.conf. The following line tells the encswap rc.d script to create geli(8) swap partitions using the Blowfish algorithm with a key length of 128 bits and a sectorsize of 4 kilobytes, and sets detach on last close:

geli_swap_flags="-e blowfish -l 128 -s 4096 -d"

Refer to the description of onetime in geli(8) for a list of possible options.

19.15.3. Encrypted Swap Verification

Once the system has rebooted, proper operation of the encrypted swap can be verified using swapinfo.

If gbde(8) is being used:

% swapinfo Device 1K-blocks Used Avail Capacity /dev/ad0s1b.bde 542720 0 542720 0%

If geli(8) is being used:

% swapinfo Device 1K-blocks Used Avail Capacity /dev/ad0s1b.eli 542720 0 542720 0%
Prev Up Next
19.14. Encrypting Disk Partitions Home 19.16. Highly Available Storage (HAST)

All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/

Questions that are not answered by the documentation may be sent to <freebsd-questions@FreeBSD.org>.

Send questions about this document to <freebsd-doc@FreeBSD.org>.