Thanks Matt, this is a really nice improvement! I'll try it when I get back from vacation next week.
Tim On Sat, May 16, 2015 at 2:04 PM, Matthew Dillon <[email protected] > wrote: > A more sophisticated encrypted swap using LUKS was already available and > could be set up via the installer, capable of encrypting swap and dumps. > Manual configuration through luks is a bit messy though. > > This feature provides a simpler way to just encrypt swap with a random key > via /etc/fstab, perhaps as a preface to potentially implementing more > sophisticated crypto features in /etc/fstab in the future that use dm-crypt > directly and bypass LUKS. > > The master branch now has experimental automatic crypting of swap > available. > If using master, simply recompile and reinstall the /usr/src/sbin/swapon > utility and then specify 'crypt' as a swap option in your /etc/fstab. > For example: > > # Device Mountpoint FStype Options Dump > Pass# > /dev/da0s1b none swap sw,crypt,trim 0 0 > > This will cause the appropriate /dev/mapper/swap-* crypto device to be > created > and swap operations to automatically be encrypted with a random key on > boot. > > Note that this features doesn't help with kernel dumps since a random key > is used on each boot. Kernel dumps can still be used, unsecured, by > specifying the base device (e.g. /dev/da0s1b) for dumpon. > > This feature is considered experimental for the moment as it has not yet > been > validated for low-memory or swapcache operation. But it should work well. > > -Matt > Matthew Dillon > <[email protected]> >
