Encrypted swap with geli and md?

[bufo333]

I have used the encrypted swap feature for a while now, but recently I moved from a swap partition to a swap file. This is because my new drive is an SSD and I wanted to make sure I could use TRIM on the part of the disk used for swap.

Typically an encrypted swap file would be used in fstab as below:

ada0s1b.eli   none swap sw 0 0

And geli(8) would automatically encrypt the swap with a one time key each time the system boots, that way the swap is always non recoverable after a reboot.

However because I wanted to take advantage of TRIM on the SSD I wanted to use a file for the swap instead of a partition. I am not sure if it is possible to do an automatically encrypted swap using GELI like is possible when using a swap partition.

My current fstab looks like this:

md99    none     swap   sw,file=/usr/swap/swap   0   0

 

[asteriskRoss]

What happens if you specify md99.eli in fstab(5)? Does the entry get processed twice, once as an mdX entry and once as a X.eli entry, which should do what you want?

 

[bufo333]

What happens if you specify md99.eli in fstab(5)? Does the entry get processed twice, once as an mdX entry and once as a X.eli entry, which should do what you want?

I tried that, it gives and error about not recognizing mx99.eli and the swap never loads.

 

[asteriskRoss]

Hmmm... so in that case it is probably being processed as a GELI entry but not a memory disk entry. Perhaps try putting the following in /etc/rc.conf:

mdconfig_md99="-t vnode -f /usr/swap/swap"

For the entry in /etc/fstab use md99.eli but remove the file option, so it is treated as a GELI entry. If that doesn't work you may need to tweak one of the scripts in /etc/rc.d to tell the script that calls mdconfig(8) to run before the one that calls geli(8). Have a look at the man page for rcorder(8) for how to do that.