Swap partition or swap files
- Do not use swap files with encryption. When the system is low on RAM, dm-crypt might not be able to handle a swap file.
- Do not use swap on HDD disks. Random access on HDD is very slow.
Identify swap partition
First, identify your swap partition with blkid
and get its UUID.
Then, find the partition in /dev/disk/by-partuuid/
.
Disable hibernation and resume
You will need to reboot after executing the following commands.
echo RESUME=none | sudo tee /etc/initramfs-tools/conf.d/resume
sudo update-initramfs -u
sudo systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
Configure encrypted swap
Then, set up your /etc/crypttab
file and verify it with cryptdisks_start cryptswap
.
# <target name> <source device> <key file> <options>
cryptswap /dev/disk/by-partuuid/XXXX /dev/urandom plain,swap,cipher=aes-xts-plain64,size=256,sector-size=4096
If you specified sector-size=4096
, the whole device must be multiple of it, and you should make the partition 4k aligned with your disk.
Note that sectors are numbered from 0 in fdisk
, so you should keep the start sector of a partition and size of the partition a multiple of 8, assuming that the sector size is 512 bytes.
To partition that with fdisk
, you should align First sector
to multiples of 8, and Last sector
to multiples of 8 minus 1. If you are using +sectors
to specify the last sector, the number should be multiples of 8 minus 1 too because even +0
occupies a sector.
Finally, add the following line to /etc/fstab
, test it with swapon -a
, run update-initramfs -u
again and reboot.
/dev/mapper/cryptswap none swap sw 0 0
You can use the following commands to check the swap status.
# Available swap
free -h
# Encryption status
cryptsetup status cryptswap