19.15. Encrypting Swap Space

Written by Christian Br"uffer.

Like the encryption of disk partitions, encryption of swap space is used to protect sensitive information. Consider an application that deals with passwords. As long as these passwords stay in physical memory, these passwords will not be written to disk and be cleared after a reboot. If FreeBSD starts swapping out memory pages to free space for other applications, the passwords may be written to the disk platters unencrypted. Encrypting swap space can be a solution for this scenario.

The gbde(8) or geli(8) encryption systems may be used for swap encryption. Both systems use the encswap rc.d script.

Σημείωση:

For the remainder of this section, ad0s1b will be the swap partition.

Swap partitions are not encrypted by default and should be cleared of any sensitive data before continuing. To overwrite the current swap parition with random garbage, execute the following command:

# dd if=/dev/random of=/dev/ad0s1b bs=1m

19.15.1. Swap Encryption with gbde(8)

The .bde suffix should be added to the device in the respective /etc/fstab swap line:

# Device		Mountpoint	FStype	Options		Dump	Pass#
/dev/ad0s1b.bde		none		swap	sw		0	0

19.15.2. Swap Encryption with geli(8)

The procedure for instead using geli(8) for swap encryption is similar to that of using gbde(8). The .eli suffix should be added to the device in the respective /etc/fstab swap line:

# Device		Mountpoint	FStype	Options		Dump	Pass#
/dev/ad0s1b.eli		none		swap	sw		0	0

geli(8) uses the AES algorithm with a key length of 128 bit by default. These defaults can be altered by using geli_swap_flags in /etc/rc.conf. The following line tells the encswap rc.d script to create geli(8) swap partitions using the Blowfish algorithm with a key length of 128 bits and a sectorsize of 4 kilobytes, and sets «detach on last close»:

geli_swap_flags="-e blowfish -l 128 -s 4096 -d"

Refer to the description of onetime in geli(8) for a list of possible options.

19.15.3. Encrypted Swap Verification

Once the system has rebooted, proper operation of the encrypted swap can be verified using swapinfo.

If gbde(8) is being used:

% swapinfo
Device          1K-blocks     Used    Avail Capacity
/dev/ad0s1b.bde    542720        0   542720     0%

If geli(8) is being used:

% swapinfo
Device          1K-blocks     Used    Avail Capacity
/dev/ad0s1b.eli    542720        0   542720     0%

Αυτό το κείμενο, και άλλα κείμενα, μπορεί να βρεθεί στο ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/

Για ερωτήσεις σχετικά με το FreeBSD, διαβάστε την τεκμηρίωση πριν να επικοινωνήσετε με την <questions@FreeBSD.org>.

Για ερωτήσεις σχετικά με αυτή την τεκμηρίωση, στείλτε e-mail στην <doc@FreeBSD.org>.