Arch Linux

maverick1013

Member

Registered: 2019-05-16

Posts: 5

How to "re-encrypt" swap with system job as the Wiki suggests here?

I set up swap encryption with suspend-to-disk support by following this Arch Wiki page: https://wiki.archlinux.org/title/Dm-cry … sk_support

There it says:

"The following three methods are alternatives for setting up an encrypted swap for suspend-to-disk. If you apply any of them, be aware that critical data swapped out by the system may potentially stay in the swap over a long period (i.e. until it is overwritten). To reduce this risk consider setting up a system job which re-encrypts swap, e.g. each time the system is going into a regular shut-down, along with the method of your choice."

My question is: what does it means when it says "re-encrypt swap"? What exactly should I do with a system job to overwrite the data that contains stuff that was swapped out some time ago?

frostschutz

Member

Registered: 2013-11-15

Posts: 1,480

Re: How to "re-encrypt" swap with system job as the Wiki suggests here?

LUKS does not really have a concept of replacing master key [ditching old data] on the fly. So to make data inaccessible permanently [even if you know the pass phrase] you are left with luksErase and/or luksFormat.

So you can run luksErase on shutdown, and luksFormat on boot in initramfs. Or luksFormat on shutdown. You'll also have to run mkswap to make it a swap space again, but crypttab swap option can handle this bit for you.

Another much simpler way to ditch data on a LUKS device would be a simple fstrim or blkdiscard. For swap you can just use the discard=once option [see 'man swapon']. LUKS itself has to run with the allow-discards option for that to work and the storage medium has to support TRIM / discard and deterministic read zero after trim.

Altogether I'm not sure if it's worth the effort. The swap is encrypted, for most use cases that would already be enough.

Last edited by frostschutz (2022-07-08 10:05:01)