Like the encryption of disk partitions, encryption of swap space is used to protect sensitive information. Consider an application that deals with passwords. As long as these passwords stay in physical memory, they are not written to disk and will be cleared after a reboot. However, if FreeBSD starts swapping out memory pages to free space, the passwords may be written to the disk unencrypted. Encrypting swap space can be a solution for this scenario.
This section demonstrates how to configure an encrypted
swap partition using gbde(8) or geli(8) encryption.
It assumes a UFS file system where
/dev/ad0s1b
is the swap partition.
Swap partitions are not encrypted by default and should be cleared of any sensitive data before continuing. To overwrite the current swap partition with random garbage, execute the following command:
#
dd if=/dev/random of=/dev/
ad0s1b
bs=1m
To encrypt the swap partition using gbde(8), add the
.bde
suffix to the swap line in
/etc/fstab
:
# Device Mountpoint FStype Options Dump Pass# /dev/ad0s1b.bde none swap sw 0 0
To instead encrypt the swap partition using geli(8),
use the
.eli
suffix:
# Device Mountpoint FStype Options Dump Pass# /dev/ad0s1b.eli none swap sw 0 0
By default, geli(8) uses the AES
algorithm with a key length of 128 bit. These defaults can be
altered by using geli_swap_flags
in
/etc/rc.conf
. The following flags
configure encryption using the Blowfish algorithm with a key
length of 128 bits and a sectorsize of 4 kilobytes, and sets
“detach on last close”:
geli_swap_flags="-e blowfish -l 128 -s 4096 -d"
Refer to the description of onetime
in
geli(8) for a list of possible options.
Once the system has rebooted, proper operation of the
encrypted swap can be verified using
swapinfo
.
If gbde(8) is being used:
%
swapinfo
Device 1K-blocks Used Avail Capacity /dev/ad0s1b.bde 542720 0 542720 0%
If geli(8) is being used:
%
swapinfo
Device 1K-blocks Used Avail Capacity /dev/ad0s1b.eli 542720 0 542720 0%
本文及其他文件,可由此下載: ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/。
若有 FreeBSD 方面疑問,請先閱讀
FreeBSD 相關文件,如不能解決的話,再洽詢
<questions@FreeBSD.org>。
關於本文件的問題,請洽詢
<doc@FreeBSD.org>。