====== Ubuntu - Swap - Create an encrypted swap area ======

To create an encrypted swap area.

The current recommended method for encrypting a Linux block device is to use the **dm-crypt** module.  Configuration of dm-crypt is performed using a front-end such as **cryptsetup** or **cryptmount**, either would suffice in this case.  cryptsetup will be used here on the grounds that there is less to configure.

**NOTE**:  The content of a swap area is not required to survive a reboot, therefore a new random encryption key can be chosen each time the swap area is activated.  This is both convenient and highly secure, avoiding the need to enter a passphrase at boot time.

A small complication is that the formatting performed by **mkswap** is lost whenever the key changes.  It is therefore necessary to rerun mkswap after each key change but before attempting to activate the swap area.  cryptsetup has the ability to do this automatically.

----

===== Install cryptsetup =====

First install the **cryptsetup** package if it is not already present.  On Debian-based systems the package name is cryptsetup:

<code bash>
apt-get install cryptsetup
</code>

----

===== Deactivate the swap area =====

If the swap area is currently in use then you must deactivate it before proceeding:

<code bash>
swapoff -a
</code>

The **-a** option specifies that the command should act on all swap areas listed in **/etc/fstab**.  If a swap area is active but not listed there then you can specify the relevant pathname explicitly:

<code bash>
swapoff /dev/sda2
</code>

To confirm that all swap areas have been deactivated, inspect the content of **/proc/meminfo**:

<code bash>
cat /proc/meminfo
</code>

Look for an entry labelled **SwapTotal**, which should now have a value of zero:

<code bash>
SwapTotal:           0 kB
</code>

----

===== Remove the swap area from /etc/fstab =====

If the swap area is listed in **/etc/fstab** then it must be removed in order to prevent it from being reactivated when the machine restarts.  The entry may look similar to:

<file bash /etc/fstab>
/dev/sda2 none swap defaults 0 0
</file>

or it may identify the swap area by UUID as opposed to its device name:

<file bash /etc/fstab>
UUID=b74898a2-7324-4336-8556-92d82edf8999 none swap defaults 0 0
</file>

In either case you are looking for an entry in which the third field (the **filesystem** type) is listed as swap.

----

===== Optionally, wipe the swap area =====

If the swap area has previously held un-encrypted data then you may wish to wipe it before proceeding further.  Overwriting with zeros should suffice for most purposes:

<code bash>
dd if=/dev/zero of=/dev/sda2
</code>

or you can use a more aggressive method if you prefer.

----

===== Add the swap area to /etc/crypttab =====

Mappings created using the cryptsetup command are non-persistent.  To create a persistent mapping it must be listed in the file **/etc/crypttab**.  A suitable entry would be:

<file bash /etc/crypttab>
swap /dev/sda2 /dev/urandom swap
</file>

The first field is the name of the block device that will be created in **/dev/mapper** to provide access to the swap area as plaintext.  In this case the full pathname of the block device will be /dev/mapper/swap.

The second field is the pathname of an existing block device or file that will be used to store the ciphertext.  In this case it is /dev/sda2.

The third field specifies where the encryption key should be obtained from.  In this case a new random key is chosen each time the machine restarts.

The fourth field is a comma-separated list of options.  In this case it specifies that **mkswap** should be run on the swap area each time the machine restarts.

The reason for obtaining the key from /dev/urandom as opposed to /dev/random is to prevent the boot sequence from stalling.  If you read from /dev/urandom and there is not enough entropy in the pool to supply truly random data then it will produce pseudo-random data instead, whereas /dev/random will block until sufficient entropy has been gathered.  The latter behavior is more secure, but potentially inconvenient if it happens while the machine is booting.  Given the ephemeral nature of the swapfile key, /dev/urandom is probably good enough for most users.

----

===== Activate the mapping =====

Mappings described in **/etc/crypttab** can be activated without rebooting the machine by means of the **cryptdisks_start** command:

<code bash>
cryptdisks_start swap
</code>

If that command is not available then an alternative method is to restart the cryptdisks service:

<code bash>
/etc/init.d/cryptdisks restart
</code>

If you now list the content of /dev/mapper:

<code bash>
ls -l /dev/mapper
</code>

you should be able to see the newly-created block device (/dev/mapper/swap):

<code bash>
total 0
crw-rw---- 1 root root  10, 59 2010-12-22 20:26 control
brw-rw---- 1 root disk 254,  0 2011-01-01 11:56 swap
</code>

----

===== Add the encrypted swap area to /etc/fstab =====

Arrange for the encrypted swap area to be activated on reboot by listing it in **/etc/fstab**.  A suitable entry would be:

<file bash /etc/fstab>
/dev/mapper/swap none swap defaults 0 0
</file>

----

===== Activate the encryped swap area =====

Activate the encrypted swap area.  This can be done without rebooting the machine using the **swapon** command:

<code bash>
swapon -a
</code>

As with **swapoff**, the **-a** option specifies that the command should act on all swap areas listed in **/etc/fstab**.

To confirm that all swap area has been activated, inspect the content of /proc/meminfo again:

<code bash>
cat /proc/meminfo
</code>

The entry labelled **SwapTotal**, which previously had a value of zero, should now be equal to the size of the swap area:

<code bash>
SwapTotal:     1048568 kB
</code>