I just placed an fstab entry as below, after doing a dd wipe on swap partition and seems to work, defaults to AES AFAIK.
/dev/ada0p1.eli none  swap sw,keylen=256,sectorsize=4096  0  0
The handbook states use of geli onetime -d -e 3des ada0p1

* Is 3DES more appropriate than AES for swap?
* Do I need to specify the -d flag in fstab (seems not)?
* Is there a way to "get properties" to check what options geli has used?
You can use either 3DES or AES, but void DES
AES is known as significantly faster. 3DES consumes much resources, so 3DES could eventually slow down the system.

You must be aware that setting up an encrypted SWAP blocks the memory dumping in case of unstable system, so you won't be able to debug the system, because DUMP uses the SWAP device.

So I advise to use the following settings

I creates a label for the Swap partition, with glabel label FreeBSD_SWAP /dev/ada....

In rc.conf we activate the dump device, and a special script to start the swap later

savecore_flags="-m 5" #store a max of 5 memory dumps


In fstab we set the unencrypted swap, but with no auto-mounting (even if swap is not mounted, DUMP read the fstab to locate the Swap partition)

/dev/label/FreeBSD_SWAP    none     swap    sw,noauto

In /usr/local/etc/rc.d put the following geli_swap script wth chmod 555, and chown 0:0

Example of rc.d script to start the swap :

# $FreeBSD$


. /etc/rc.sub



load_rc config $name


geli onetime -d -a HMAC/SHA256 -e AES-XTS -l 256 -s 4096 ./dev/label/FreeBSD_SWAP


run_rc_command "$1"

How does it work ?

System becomes unstable and crashes, swap is closed, and with the -d option, system automatically detaches the Geli Swap
So the base swap partition (unencrypted) is available again, and system can dump the memory in the swap partition before rebooting.

On reboot, first the system detects the DUMP device directive in rc.conf. The system checks if the unencrypted swap partition has dumping data. If yes it moves theses data from the swap partition to /var/crash, and so system can start the geli_swap script.
Further, you will be able to load the content of /var/crash to debug the system with gdb

If unencrypted swap partition is empty, system can start immediately the geli_swap script

Use swapinfo to check if swap is running, you can also go to /dev/label and you will find


To list Geli devices

geli list
Last edited:
Thanks for the answer
I thought AES would suffice, but hesitated because of the Handbook entry.
I don't need dumpdev/savecore, but your explanation clarifies the use of -d flag

My last question was about checking geli properties once geli layer was started, for confirmation of what parameters geli used for the layer.