18.14. Encrypting Swap

Written by Christian Brüffer.

Like the encryption of disk partitions, encryption of swap space is used to protect sensitive information. Consider an application that deals with passwords. As long as these passwords stay in physical memory, they are not written to disk and will be cleared after a reboot. However, if FreeBSD starts swapping out memory pages to free space, the passwords may be written to the disk unencrypted. Encrypting swap space can be a solution for this scenario.

This section demonstrates how to configure an encrypted swap partition using gbde(8) or geli(8) encryption. It assumes a UFS file system where /dev/ad0s1b is the swap partition.

18.14.1. Configuring Encrypted Swap

Swap partitions are not encrypted by default and should be cleared of any sensitive data before continuing. To overwrite the current swap partition with random garbage, execute the following command:

# dd if=/dev/random of=/dev/ad0s1b bs=1m

To encrypt the swap partition using gbde(8), add the .bde suffix to the swap line in /etc/fstab:

# Device		Mountpoint	FStype	Options		Dump	Pass#
/dev/ad0s1b.bde		none		swap	sw		0	0

To instead encrypt the swap partition using geli(8), use the .eli suffix:

# Device		Mountpoint	FStype	Options		Dump	Pass#
/dev/ad0s1b.eli		none		swap	sw		0	0

By default, geli(8) uses the AES algorithm with a key length of 128 bit. These defaults can be altered by using geli_swap_flags in /etc/rc.conf. The following flags configure encryption using the Blowfish algorithm with a key length of 128 bits and a sectorsize of 4 kilobytes, and sets detach on last close:

geli_swap_flags="-e blowfish -l 128 -s 4096 -d"

Refer to the description of onetime in geli(8) for a list of possible options.

18.14.2. Encrypted Swap Verification

Once the system has rebooted, proper operation of the encrypted swap can be verified using swapinfo.

If gbde(8) is being used:

% swapinfo
Device          1K-blocks     Used    Avail Capacity
/dev/ad0s1b.bde    542720        0   542720     0%

If geli(8) is being used:

% swapinfo
Device          1K-blocks     Used    Avail Capacity
/dev/ad0s1b.eli    542720        0   542720     0%

All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/

Questions that are not answered by the documentation may be sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.