How to configure encrypted swap

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux 5, 6, 7, and 8

Issue

  • Need to configure encrypted swap space
  • Need best-practice recommendations on encrypting swap
  • I got encrypted swap configured by the installer, it's asking for passphrase after reboots. How can I switch to an encrypted swap which is using a random key?

Resolution

WARNING: DO NOT PUT ENCRYPTED SWAP ON PLAIN SCSI DEVICES LIKE /dev/sda, /dev/vdb

The most secure method for encrypting swap--recommended in this solution--involves automatically re-initializing swap on each boot (both the passphrase-less1 encryption provided by cryptsetup and the formatting provided by mkswap). For this reason, there is no crypt_LUKS UUID to be used in /etc/crypttab for opening the device. This could lead to a dangerous situation with plain SCSI devices like /dev/sda or /dev/vdb.2 Instead, make sure to use devices with deterministic names, e.g.: LVM logical volumes, /dev/mapper/... multipath storage, or GPT-formatted partitions referenced by PARTUUID3.

 

STEPS TO CONFIGURE ENCRYPTED SWAP

  1. Determine what device to use
    As mentioned above, this should be an LVM logical volume (e.g., /dev/VG/LV) or a multipath map (e.g., /dev/mapper/mpath1)
    From here on in this document, this will be referred to as DEV

  2. Choose a name for the dm-device which will offer a decrypted view of DEV
    From here on in this document, this will be referred to as MAPPING
    This name is completely arbitrary; however, it will be used to form the full path to the swap device, i.e., /dev/mapper/MAPPING
    Examples:

    • swaplogvol
    • encswap1
    • mpathedswap1

  3. Add a new entry to /etc/crypttab in the form "MAPPING DEV /dev/urandom swap"
    Examples:

    • echo "swaplogvol /dev/volgroup/swaplogvol /dev/urandom swap" >>/etc/crypttab
    • echo "encswap1 /dev/mapper/volgroup-swaplv /dev/urandom swap" >>/etc/crypttab
    • echo "mpathedswap1 /dev/mapper/mpath1 /dev/urandom swap" >>/etc/crypttab

  4. Add a new entry to /etc/fstab to activate the swap device /dev/mapper/MAPPING
    Again, using a UUID (as is normally common) will not work in this case due to the swap being recreated at each boot
    Examples:

    • echo "/dev/mapper/swaplogvol swap swap defaults 0 0" >>/etc/fstab
    • echo "/dev/mapper/encswap1 swap swap defaults 0 0" >>/etc/fstab
    • echo "/dev/mapper/mpathedswap1 swap swap defaults 0 0" >>/etc/fstab

  5. If the volume was already used with encrypted swap: remove these references
    These additional steps are required if encrypted swap is not setup "from zero", but the volume was already used. That is the case if for example you setup encrypted swap in the installer - with that setup you will be asked for a passphrase after reboots. 

    # First, existing swap might need to be disabled:
swapoff /dev/mapper/swaplogvol
# Next, the LUKS signature on the swap volume should be overwritten
swapoff /dev/mapper/swaplogvol
dd if=/dev/zero of=/dev/mapper/swaplogvol bs=1024k count=1
# The installer added rd.luks.uuid=<swap-uuid> to the kernel commandline, 
# it needs to be removed:
vi /etc/default/grub # remove rd.luks.uuid=<swap-uuid>
# Use this on a MBR (BIOS-based) system to regenerate the grub config:
grub2-mkconfig -o /boot/grub2/grub.cfg
# Or, on a GPT (UEFI-based) system use this:
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

  6. Reboot to activate the swap
    If /etc/crypttab was edited properly, there should be no passphrase prompt during boot and the swap should be automatically activated
    Use the following commands to investigate the activated swap:

    • swapon -s
      • (Check that new swap is active)
    • lsblk   and/or   dmsetup ls --tree
      • (Visualize the relationship between devices)
    • cryptsetup status MAPPING
      • (See encryption details about the opened device)
1

The Linux kernel only keeps track of what is in swap while the system is running -- anything left in swap after shutting down / cutting the power has no meaning on a fresh boot. For this reason, there's no point in configuring a passphrase on encrypted swap, much less using dm-crypt's more complicated formatting extension LUKS.
2: The reality is that SCSI device names in Linux (/dev/sd*, /dev/vd*, etc) are extremely volatile and non-deterministic by default. There is no guarantee that sda will be sda after a reboot, which is why UUIDs are so often used in /etc/crypttab and /etc/fstab. In this particular case: if LVM cannot be used for some reason, udev rules must be written to ensure the swap device always has the same device node name.
3: To implement this, create a new partition on a GPT-formatted disk (e.g., with gdisk, parted, etc) and then find the GUID in /dev/disk/by-partuuid/. In crypttab, put "PARTUUID=some-uuid-goes-here" as the second field.

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.