**Contents** [[!toc levels=3]] [[!template id=needs-update reason="netbsd-10 vm.swap_encrypt=1, default on most platforms today, obsoletes swapping to cgd"]] # Summary It's getting more and more popular to use encrypted swap. This is however not a trivial task with nfs-swap. Swap over nfs is supported like this: server:/usr/swapfile none swap sw,-w=8192,nfsmntpt=/swap 0 0 But this can not be encrypted. We will however cheat and use a [[!template id=man name="vnd" section="4"]] on a nfs-share. This is how I did it on my Jornada 680 running 3.99.15. # Things needed A kernel with both [[!template id=man name="vnd" section="4"]] and [[!template id=man name="cgd" section="4"]] support. # Creation ## Making the swapspace First we need to create the swapfile to be used. It's important that the swapfile is in a directory that is mounted when _/etc/rc.d/swap2_ runs. Either add the directory to **$critical_filesystems_remote**, or just put it in /usr. Now run: # dd if=/dev/zero of=/usr/swapfile bs=1m count=64 This will create a 64MB swapfile. Make sure it has the right permissions and owner. # chown root:wheel /usr/swapfile # chmod 600 /usr/swapfile ## Configuring the swapspace the first time Now we just have to configure it so the system can use it. Configure the paramsfile for [[!template id=man name="cgd" section="4"]]. # cgdconfig -g -o /etc/cgd/swapfile -V none -k randomkey blowfish-cbc Now we can configure the device. # vnconfig vnd0 /usr/swapfile # cgdconfig cgd0 /dev/vnd0c /etc/cgd/swapfile Replace /dev/vnd0c with /dev/vnd0d if necessary. Disklabel the cgd with **disklabel -I -e cgd0**, it will should look something like this. # /dev/rcgd0c: type: cgd disk: cgd label: default label flags: bytes/sector: 512 sectors/track: 2048 tracks/cylinder: 1 sectors/cylinder: 2048 cylinders: 64 total sectors: 131072 rpm: 3600 interleave: 1 trackskew: 0 cylinderskew: 0 headswitch: 0 # microseconds track-to-track seek: 0 # microseconds drivedata: 0 3 partitions: # size offset fstype [fsize bsize cpg/sgs] c: 131072 0 swap # (Cyl. 0 - 63) **Note**: Depending on which archictecture you use, you may need a different layout. Like this on an i386: a: 131072 0 swap # (Cyl. 0 - 63) d: 131072 0 unused 0 0 # (Cyl. 0 - 63) Depending on which partition your architecture uses as raw partition. If unsure, check with: # sysctl kern.rawpartition kern.rawpartion=3 Back it up so it can be used later. # disklabel cgd0 > /etc/cgd/swapfile.disklabel Use it (finally). # swapctl -a /dev/cgd0c Now you have working encrypted swap over nfs. To check its status: # swapctl -l Device 512-blocks Used Avail Capacity Priority /dev/cgd0c 131072 9696 121376 7% 0 # Use the swapspace at every reboot Using this swapspace automatically at every reboot is a little tricky since it can not be put int _/etc/fstab_, but it can be done in another way. And I have already done the work for you. ;-) Check that the variables make sense on your system. E.g that you used vnd0 and cgd0 and RAW_PART is right for your architecture. Create the file _/etc/rc.conf.d/swap_ containing the following. # Initialize cgd over vnd swap, suitable for nfs-swap. # # Note: We can NOT put this swapfile in /etc/fstab, this is why # this is relatively complicated. # # If this is the only swapspace you have configured then you can set # no_swap=YES in rc.conf, otherwise the system will complain every boot. # # IMPORTANT: # $swapfile has to be in $critical_filesystems_remote. /usr is by default # vnd_device="vnd0" cgd_device="cgd0" swapfile="/usr/swapfile" paramsfile="/etc/cgd/swapfile" swap_disklabel="/etc/cgd/swapfile.disklabel" RAW_PART="c" # <- change to suit your arch SWAP_PART="c" # <- change to same as the disklabel start_postcmd="cryptovnd_swap" stop_cmd="cryptovnd_stop" # Note: We have to override stop_cmd cryptovnd_swap() { # Since there is only one swap-variable in rc.conf we have to # check that we are being called from swap2. if [ $name = "swap1" ]; then return fi if [ -f $swapfile ]; then echo "Configuring cgd over vnd swap." eval `stat -L -s $swapfile` if [ `echo $st_uid+$st_gid|bc` != 0 ]; then echo "$swapfile MUST be owned by root and group wheel" echo "$swapfile not used as swap." return 1 else if [ ! -f $swap_disklabel ]; then echo "No $swap_disklabel." echo "$swapfile can not be used as swap." return 1 fi if [ $st_mode != "0100600" ]; then echo "$swapfile MUST have permission 600" echo "$swapfile not used as swap." return 1 fi fi vnconfig $vnd_device $swapfile cgdconfig $cgd_device /dev/${vnd_device}$RAW_PART $paramsfile disklabel -R -r $cgd_device $swap_disklabel swapctl -a /dev/${cgd_device}$SWAP_PART fi } cryptovnd_stop() { if [ $name = "swap2" ]; then swapctl -d /dev/${cgd_device}$SWAP_PART cgdconfig -u $cgd_device vnconfig -u $vnd_device swapctl -U -t noblk else swap1_stop fi } # Some issues and notes * Do not include this cgd in _/etc/cgd/cgd.conf_ * It could happen that there isn't enough entropy in the kernel to initialize the swap partition. If so, you can add your NIC to the entropy pool in _/etc/rc.conf_ with **/sbin/rndctl -ced ne0** if you have a [[!template id=man name="ne" section="4"]] NIC. * If this is the only swapspace configured, set the variable **no_swap=YES** in _/etc/rc.conf_ or the system will complain every boot. # Additional Information * [[!template id=man name="vnconfig" section="8"]] Manpage * [[!template id=man name="cgdconfig" section="8"]] Manpage * [[!template id=man name="swapctl" section="8"]] Manpage * [[!template id=man name="disklabel" section="8"]] Manpage