Contents

  1. Summary
  2. Things needed
  3. Creation
    1. Making the swapspace
    2. Configuring the swapspace the first time
  4. cgdconfig -g -o /etc/cgd/swapfile -V none -k randomkey blowfish-cbc
  5. Use the swapspace at every reboot
  6. Some issues and notes
  7. Additional Information

Summary

It's getting more and more popular to use encrypted swap. This is however not a trivial task with nfs-swap. Swap over nfs is supported like this:

server:/usr/swapfile none swap sw,-w=8192,nfsmntpt=/swap 0 0

But this can not be encrypted. We will however cheat and use a vnd(4) on a nfs-share.
This is how I did it on my Jornada 680 running 3.99.15.

Things needed

A kernel with both vnd(4) and cgd(4) support.

Creation

Making the swapspace

First we need to create the swapfile to be used. It's important that the swapfile is in a directory that is mounted when /etc/rc.d/swap2 runs. Either add the directory to $critical_filesystems_remote, or just put it in /usr.
Now run:

# dd if=/dev/zero of=/usr/swapfile bs=1m count=64

This will create a 64MB swapfile. Make sure it has the right permissions and owner.

# chown root:wheel /usr/swapfile
# chmod 600 /usr/swapfile

Configuring the swapspace the first time

Now we just have to configure it so the system can use it.
Configure the paramsfile for cgd(4).

cgdconfig -g -o /etc/cgd/swapfile -V none -k randomkey blowfish-cbc

Now we can configure the device.

# vnconfig vnd0 /usr/swapfile
# cgdconfig cgd0 /dev/vnd0c /etc/cgd/swapfile

Replace /dev/vnd0c with /dev/vnd0d if necessary.
Disklabel the cgd with disklabel -I -e cgd0, it will should look something like this.

# /dev/rcgd0c:
type: cgd
disk: cgd
label: default label
flags:
bytes/sector: 512
sectors/track: 2048
tracks/cylinder: 1
sectors/cylinder: 2048
cylinders: 64
total sectors: 131072
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0           # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0 

3 partitions:
#        size    offset     fstype [fsize bsize cpg/sgs]
 c:    131072         0       swap                     # (Cyl.      0 -     63)

Note: Depending on which archictecture you use, you may need a different layout.
Like this on an i386:

 a:    131072         0       swap                     # (Cyl.      0 -    63)
 d:    131072         0     unused      0     0        # (Cyl.      0 -    63)

Depending on which partition your architecture uses as raw partition. If unsure, check with:

# sysctl kern.rawpartition
kern.rawpartion=3

Back it up so it can be used later.

# disklabel cgd0 > /etc/cgd/swapfile.disklabel

Use it (finally).

# swapctl -a /dev/cgd0c

Now you have working encrypted swap over nfs. To check its status:

# swapctl -l
Device      512-blocks     Used    Avail Capacity  Priority
/dev/cgd0c      131072     9696   121376     7%    0

Use the swapspace at every reboot

Using this swapspace automatically at every reboot is a little tricky since it can not be put int /etc/fstab, but it can be done in another way. And I have already done the work for you. ;-) Check that the variables make sense on your system. E.g that you used vnd0 and cgd0 and RAW_PART is right for your architecture. Create the file /etc/rc.conf.d/swap containing the following.

# Initialize cgd over vnd swap, suitable for nfs-swap.
#
# Note: We can NOT put this swapfile in /etc/fstab, this is why
# this is relatively complicated. 
#
# If this is the only swapspace you have configured then you can set
# no_swap=YES in rc.conf, otherwise the system will complain every boot.
#
# IMPORTANT:
# $swapfile has to be in $critical_filesystems_remote. /usr is by default
#
vnd_device="vnd0"
cgd_device="cgd0"
swapfile="/usr/swapfile"
paramsfile="/etc/cgd/swapfile"
swap_disklabel="/etc/cgd/swapfile.disklabel"
RAW_PART="c"                    # <- change to suit your arch
SWAP_PART="c"                   # <- change to same as the disklabel
start_postcmd="cryptovnd_swap"
stop_cmd="cryptovnd_stop"       # Note: We have to override stop_cmd

cryptovnd_swap()
{
        # Since there is only one swap-variable in rc.conf we have to
        # check that we are being called from swap2.
        if [ $name = "swap1" ]; then
                return
        fi
        if [ -f $swapfile ]; then
                echo "Configuring cgd over vnd swap."
                eval `stat -L -s $swapfile`
                if [ `echo $st_uid+$st_gid|bc` != 0 ]; then
                        echo "$swapfile MUST be owned by root and group wheel"
                        echo "$swapfile not used as swap."
                        return 1
                else
                        if [ ! -f $swap_disklabel ]; then
                                echo "No $swap_disklabel."
                                echo "$swapfile can not be used as swap."
                                return 1
                        fi
                        if [ $st_mode != "0100600" ]; then
                                echo "$swapfile MUST have permission 600"
                                echo "$swapfile not used as swap."
                                return 1
                        fi
                fi
                vnconfig $vnd_device $swapfile
                cgdconfig $cgd_device /dev/${vnd_device}$RAW_PART $paramsfile
                disklabel -R -r $cgd_device $swap_disklabel
                swapctl -a /dev/${cgd_device}$SWAP_PART
        fi
}

cryptovnd_stop()
{
        if [ $name = "swap2" ]; then
                swapctl -d /dev/${cgd_device}$SWAP_PART
                cgdconfig -u $cgd_device
                vnconfig -u $vnd_device
                swapctl -U -t noblk
        else
                swap1_stop
        fi
}

Some issues and notes

Additional Information

Add a comment