aelius Posted January 23, 2012 Report Posted January 23, 2012 (edited) Like the encryption of disk partitions, encryption of swap space is done to protect sensitive information. Imagine an application that e.g. deals with passwords. As long as these passwords stay in physical memory, all is well. However, if the operating system starts swapping out memory pages to free space for other applications, the passwords may be written to the disk platters unencrypted and easy to retrieve for an adversary. Encrypting swap space can be a solution for this scenario.hp ~ # kldload geom_bdehp ~ # swapinfoDevice 1K-blocks Used Avail Capacity/dev/ad0s1b 4194304 0 4194304 0%hp ~ # swapoff /dev/ad0s1bhp ~ # swapinfoDevice 1K-blocks Used Avail Capacityhp ~ # grep swap /etc/fstab/dev/ad0s1b none swap sw 0 0hp ~ # kldstat |grep geom 7 1 0xd94f1000 d000 geom_bde.kohp ~ # geli onetime -e blowfish -l 128 -s 4096 -d ad0s1bhp ~ # swapon /dev/ad0s1b.elihp ~ # swapinfoDevice 1K-blocks Used Avail Capacity/dev/ad0s1b.eli 4194304 0 4194304 0%hp ~ #hp ~ # geli listGeom name: ad0s1b.eliEncryptionAlgorithm: Blowfish-CBCKeyLength: 128Crypto: softwareFlags: ONETIME, W-DETACH, W-OPENProviders:1. Name: ad0s1b.eli Mediasize: 4294967296 (4.0G) Sectorsize: 4096 Mode: r1w1e0Consumers:1. Name: ad0s1b Mediasize: 4294967296 (4.0G) Sectorsize: 512 Mode: r1w1e1Replace "/dev/ad0s1b" with "/dev/ad0s1b.eli" from "/etc/fstab" (also, you can do this with nano, vi, joe ..or your preffered editor)hp ~ # perl -pi -e 's/\/dev\/ad0s1b/\/dev\/ad0s1b.eli/' /etc/fstabhp ~ # grep swap /etc/fstab/dev/ad0s1b.eli none swap sw 0 0hp ~ #Notes: - Do not forget to add geom_eli_load="YES" in "/boot/loader.conf" - Howto inspired from FreeBSD Handbook, Chapter 19 Storage => Encrypting Swap Space. - For more info, please do 'man geli' (or, you can read here.) - Screenshot with 'geli list'. - This howto was published on rtfm dot ro (date: May 11, 2010, 16:40) Edited January 23, 2012 by aelius 1 Quote
