Swap partition or swap files

  1. Do not use swap files with encryption. When the system is low on RAM, dm-crypt might not be able to handle a swap file.
  2. Do not use swap on HDD disks. Random access on HDD is very slow.

Identify swap partition

First, identify your swap partition with blkid and get its UUID.

Then, find the partition in /dev/disk/by-partuuid/.

Disable hibernation and resume

You will need to reboot after executing the following commands.

echo RESUME=none | sudo tee /etc/initramfs-tools/conf.d/resume
sudo update-initramfs -u
 
sudo systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target

Configure encrypted swap

Then, set up your /etc/crypttab file and verify it with cryptdisks_start cryptswap.

# <target name> <source device>         <key file>      <options>
cryptswap /dev/disk/by-partuuid/XXXX /dev/urandom plain,swap,cipher=aes-xts-plain64,size=256,sector-size=4096

If you specified sector-size=4096, the whole device must be multiple of it, and you should make the partition 4k aligned with your disk.

Note that sectors are numbered from 0 in fdisk, so you should keep the start sector of a partition and size of the partition a multiple of 8, assuming that the sector size is 512 bytes.

To partition that with fdisk, you should align First sector to multiples of 8, and Last sector to multiples of 8 minus 1. If you are using +sectors to specify the last sector, the number should be multiples of 8 minus 1 too because even +0 occupies a sector.

Finally, add the following line to /etc/fstab, test it with swapon -a, run update-initramfs -u again and reboot.

/dev/mapper/cryptswap none swap sw 0 0

You can use the following commands to check the swap status.

# Available swap
free -h
# Encryption status
cryptsetup status cryptswap