I'll have to look at that swapon source. The idea behind encrypted swap is
that it generates a new random key every time it boots, and you don't care
what it is because swap doesn't persist from boot to boot. Once the
partition has been mapped with the new encryption layer, you have to do
mkswap again because now without the key it looks like random bits. It
seems hazardous to do this automatically which is why it seems like a good
idea to be paranoid about making sure that it really is a swap partition.
My limited timings on an AES-encrypted swap partition suggest something
like a 5:1 slowdown, not good for swap, so maybe the Correct Answer is
forget swap and buy more RAM.
BTW dm_crypt is a module, not an app. It's a generic way to map devices
with an encryption layer. People use it for /home too. Supposed to be
better than cryptoloop. See http://www.saout.de/misc/dm-crypt/
Do we have any encryption experts here? Maybe this would all make an
interesting meeting talk.
On Fri, 5 Jan 2007, Alexey Toptygin wrote:
On Thu, 4 Jan 2007, J. Milgram wrote:
what I'm trying to do: I have an init script that sets up encrypted swap
using dm_crypt. The script has the device name (/dev/hda1, whatever)
hardwired into it. Should be obvious how dangerous this is - if the script
migrates to a machine where /dev/hda1 is /home, then disaster (I once did
mkswap on the wrong partition, and boy is it painful). So I want to add a
test. Maybe I need to look at the swapon source...
Swapon checks that mkswap has already left the right magic numbers at the
start of the partition before blowing anything away. I can't seem to find the
man page for dm_crypt on the web, is it more like mkswap or more like swapon?
It seems hard to believe that you'd need to run the equivalent of mkswap on
every boot...
Alexey
