Rate this page

Create an encrypted swap area

Tested on

Debian (Etch, Lenny, Squeeze)
Ubuntu (Hardy, Intrepid, Jaunty, Karmic, Lucid, Maverick, Natty, Precise, Trusty)


To create an encrypted swap area


You have a machine that currently uses the block device /dev/sda2 as an unencrypted swap area with a capacity of 1GB. You wish to continue using this device but to encrypt all data written to it.



The current recommended method for encrypting a Linux block device is to use the dm-crypt module. Configuration of dm-crypt is performed using a front-end such as cryptsetup or cryptmount, either if which would suffice in this case. cryptsetup will be used here on the grounds that there is less to configure.

The content of a swap area is not required to survive a reboot, therefore a new random encryption key can be chosen each time the swap area is activated. This is both convenient and highly secure, avoiding the need to enter a passphrase at boot time.

A small complication is that the formatting performed by mkswap is lost whenever the key changes. It is therefore necessary to rerun mkswap after each key change but before attempting to activate the swap area. cryptsetup has the ability to do this automatically.

Install cryptsetup

First install the cryptsetup package if it is not already present. On Debian-based systems the package name is cryptsetup:

apt-get install cryptsetup

Deactivate the swap area

If the swap area is currently in use then you must deactivate it before proceeding:

swapoff -a

The -a option specifies that the command should act on all swap areas listed in /etc/fstab. If a swap area is active but not listed there then you can specify the relevant pathname explicitly:

swapoff /dev/sda2

To confirm that all swap areas have been deactivated, inspect the content of /proc/meminfo:

cat /proc/meminfo

Look for an entry labelled SwapTotal, which should now have a value of zero:

SwapTotal:           0 kB

Remove the swap area from /etc/fstab

If the swap area is listed in /etc/fstab then it must be removed in order to prevent it from being reactivated when the machine restarts. The entry may look similar to:

/dev/sda2 none swap defaults 0 0

or it may identify the swap area by UUID as opposed to its device name:

UUID=b74898a2-7324-4336-8556-92d82edf8999 none swap defaults 0 0

In either case you are looking for an entry in which the third field (the filesystem type) is listed as swap.

Optionally, wipe the swap area

If the swap area has previously held unencrypted data then you may wish to wipe it before proceeding further. Overwriting with zeros should suffice for most purposes:

dd if=/dev/zero of=/dev/sda2

or you can use a more aggressive method if you prefer.

Add the swap area to /etc/crypttab

Mappings created using the cryptsetup command are non-persistent. To create a persistent mapping it must be listed in the file /etc/crypttab. A suitable entry would be:

swap /dev/sda2 /dev/urandom swap

The first field is the name of the block device that will be created in /dev/mapper to provide access to the swap area as plaintext. In this case the full pathname of the block device will be /dev/mapper/swap.

The second field is the pathname of an existing block device or file that will be used to store the ciphertext. In this case it is /dev/sda2.

The third field specifies where the encryption key should be obtained from. In this case a new random key is chosen each time the machine restarts.

The fourth field is a comma-separated list of options. In this case it specifies that mkswap should be run on the swap area each time the machine restarts.

The reason for obtaining the key from /dev/urandom as opposed to /dev/random is to prevent the boot sequence from stalling. If you read from /dev/urandom and there is not enough entropy in the pool to supply truly random data then it will produce pseudo-random data instead, whereas /dev/random will block until sufficient entropy has been gathered. The latter behaviour is more secure, but potentially inconvenient if it happens while the machine is booting. Given the ephemeral nature of the swapfile key, /dev/urandom is probably good enough for most users.

Activate the mapping

Mappings described in /etc/crypttab can be activated without rebooting the machine by means of the cryptdisks_start command:

cryptdisks_start swap

If that command is not available then an alternative method is to restart the cryptdisks service:

/etc/init.d/cryptdisks restart

If you now list the content of /dev/mapper:

ls -l /dev/mapper

you should be able to see the newly-created block device (/dev/mapper/swap):

total 0
crw-rw---- 1 root root  10, 59 2010-12-22 20:26 control
brw-rw---- 1 root disk 254,  0 2011-01-01 11:56 swap

Add the encrypted swap area to /etc/fstab

Arrange for the encrypted swap area to be activated on reboot by listing it in /etc/fstab. A suitable entry would be:

/dev/mapper/swap none swap defaults 0 0

Activate the encryped swap area

Activate the encrypted swap area. This can be done without rebooting the machine using the swapon command:

swapon -a

As with swapoff, the -a option specifies that the command should act on all swap areas listed in /etc/fstab.

To confirm that all swap area has been activated, inspect the content of /proc/meminfo again:

cat /proc/meminfo

The entry labelled SwapTotal, which previously had a value of zero, should now be equal to the size of the swap area:

SwapTotal:     1048568 kB

Tags: crypt | swap