Like the encryption of disk partitions, encryption of swap space is used to protect sensitive information. Consider an application that deals with passwords. As long as these passwords stay in physical memory, they are not written to disk and will be cleared after a reboot. However, if FreeBSD starts swapping out memory pages to free space, the passwords may be written to the disk unencrypted. Encrypting swap space can be a solution for this scenario.
This section demonstrates how to configure an encrypted
swap partition using gbde(8) or geli(8) encryption.
It assumes that
/dev/ada0s1b is the swap partition.
Swap partitions are not encrypted by default and should be cleared of any sensitive data before continuing. To overwrite the current swap partition with random garbage, execute the following command:
#dd if=/dev/random of=/dev/ada0s1bbs=1m
To encrypt the swap partition using gbde(8), add the
.bde suffix to the swap line in
/etc/fstab:
# Device Mountpoint FStype Options Dump Pass# /dev/ada0s1b.bde none swap sw 0 0
To instead encrypt the swap partition using geli(8),
use the
.eli suffix:
# Device Mountpoint FStype Options Dump Pass# /dev/ada0s1b.eli none swap sw 0 0
By default, geli(8) uses the AES
algorithm with a key length of 128 bits. Normally the default
settings will suffice. If desired, these defaults can be
altered in the options field in
/etc/fstab. The possible flags
are:
Data integrity verification algorithm used to ensure that the encrypted data has not been tampered with. See geli(8) for a list of supported algorithms.
Encryption algorithm used to protect the data. See geli(8) for a list of supported algorithms.
The length of the key used for the encryption algorithm. See geli(8) for the key lengths that are supported by each encryption algorithm.
The size of the blocks data is broken into before it is encrypted. Larger sector sizes increase performance at the cost of higher storage overhead. The recommended size is 4096 bytes.
This example configures an encrypted swap partition using the Blowfish algorithm with a key length of 128 bits and a sectorsize of 4 kilobytes:
# Device Mountpoint FStype Options Dump Pass# /dev/ada0s1b.eli none swap sw,ealgo=blowfish,keylen=128,sectorsize=4096 0 0
Once the system has rebooted, proper operation of the
encrypted swap can be verified using
swapinfo.
If gbde(8) is being used:
%swapinfoDevice 1K-blocks Used Avail Capacity /dev/ada0s1b.bde 542720 0 542720 0%
If geli(8) is being used:
%swapinfoDevice 1K-blocks Used Avail Capacity /dev/ada0s1b.eli 542720 0 542720 0%
All FreeBSD documents are available for download at https://download.freebsd.org/ftp/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.