Like the encryption of disk partitions, encryption of swap space is used to protect sensitive information. Consider an application that deals with passwords. As long as these passwords stay in physical memory, they are not written to disk and will be cleared after a reboot. However, if FreeBSD starts swapping out memory pages to free space, the passwords may be written to the disk unencrypted. Encrypting swap space can be a solution for this scenario.
Swap partitions are not encrypted by default and should be cleared of any sensitive data before continuing. To overwrite the current swap partition with random garbage, execute the following command:
dd if=/dev/random of=/dev/
To encrypt the swap partition using gbde(8), add the
.bde suffix to the swap line in
# Device Mountpoint FStype Options Dump Pass# /dev/ada0s1b.bde none swap sw 0 0
To instead encrypt the swap partition using geli(8),
# Device Mountpoint FStype Options Dump Pass# /dev/ada0s1b.eli none swap sw 0 0
By default, geli(8) uses the AES
algorithm with a key length of 128 bits. Normally the default
settings will suffice. If desired, these defaults can be
altered in the options field in
/etc/fstab. The possible flags
Data integrity verification algorithm used to ensure that the encrypted data has not been tampered with. See geli(8) for a list of supported algorithms.
Encryption algorithm used to protect the data. See geli(8) for a list of supported algorithms.
The length of the key used for the encryption algorithm. See geli(8) for the key lengths that are supported by each encryption algorithm.
The size of the blocks data is broken into before it is encrypted. Larger sector sizes increase performance at the cost of higher storage overhead. The recommended size is 4096 bytes.
This example configures an encryped swap partition using the Blowfish algorithm with a key length of 128 bits and a sectorsize of 4 kilobytes:
# Device Mountpoint FStype Options Dump Pass# /dev/ada0s1b.eli none swap sw,ealgo=blowfish,keylen=128,sectorsize=4096 0 0
Once the system has rebooted, proper operation of the
encrypted swap can be verified using
If gbde(8) is being used:
swapinfoDevice 1K-blocks Used Avail Capacity /dev/ada0s1b.bde 542720 0 542720 0%
If geli(8) is being used:
swapinfoDevice 1K-blocks Used Avail Capacity /dev/ada0s1b.eli 542720 0 542720 0%