[dm-crypt] encrypted SWAP FAQ item

Milan Broz gmazyland at gmail.com
Thu Jul 11 13:58:16 CEST 2013


On 07/11/2013 11:24 AM, Jonas Meurer wrote:
> Heya,
>
> Am 11.07.2013 08:53, schrieb Arno Wagner:
>> Dear all,
>>
>> I just have added a mini-HOWOT on how to set up encrypted swap
>> in FAQ item 2.2:
>> http://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions
>>
>> Proofreading and suggestions welcome.
>
> Good idea to add it to the FAQ. Thanks for maintaining this very
> valuable piece of documentation.
>
> But maybe you should more emphasize the fact that /etc/crypttab
> implementations are distro-specific. While I know for sure that options
> like swap and noearly are supported in Debian-based distributions, I'm
> not sure about Redhat-based ones. Last time I looked, only a small
> subset of crypttab options that we've implemented in Debian were
> supported on Redhat-based systems.

Fedora (and future RHEL, perhaps) is using systemd,
crypttab is parsed in systemd. IIRC most of the options are
"systemd standardized". IIRC all Debian keywords were already there.

And for swap... it never worked properly with systemd but it is implementation
bug prhaps only, enjoy reading
https://bugzilla.redhat.com/show_bug.cgi?id=759402

(systemd is using libcryptsetup for real device activation)

> Additionally, the following sentence looks wrong to me:
>
> "Note: use /dev/random if you are paranoid or in a potential low-entropy
> situation (embedded system, etc.).".
>
> Mainly in low-entropy situations /dev/random would cause the boot
> process to hang, right? So for these setups /dev/urandom actually is the
> better solution. Granted that one isn't paranoid ;)

This is not so simple. Once /dev/random is "fixed" for most configs
(read: internal pool is continuously mixed with good entropy source like
e.g. RDRAND instructions) cryptsetup will switch default to /dev/random
(for long-live keys). Perhaps in next major version.

See my notes here http://code.google.com/p/cryptsetup/issues/detail?id=161

Milan


More information about the dm-crypt mailing list