Contents

THIS PAGE NEEDS AN UPDATE BECAUSE netbsd-10 vm.swap_encrypt=1, default on most platforms today, obsoletes swapping to cgd

Summary

It's getting more and more popular to use encrypted swap. This is however not a trivial task with nfs-swap. Swap over nfs is supported like this:

server:/usr/swapfile none swap sw,-w=8192,nfsmntpt=/swap 0 0

But this can not be encrypted. We will however cheat and use a vnd(4) on a nfs-share.
This is how I did it on my Jornada 680 running 3.99.15.

Things needed

A kernel with both vnd(4) and cgd(4) support.

Creation

Making the swapspace

First we need to create the swapfile to be used. It's important that the swapfile is in a directory that is mounted when /etc/rc.d/swap2 runs. Either add the directory to $critical_filesystems_remote, or just put it in /usr.
Now run:

# dd if=/dev/zero of=/usr/swapfile bs=1m count=64

This will create a 64MB swapfile. Make sure it has the right permissions and owner.

# chown root:wheel /usr/swapfile
# chmod 600 /usr/swapfile

Configuring the swapspace the first time

Now we just have to configure it so the system can use it.
Configure the paramsfile for cgd(4).

cgdconfig -g -o /etc/cgd/swapfile -V none -k randomkey blowfish-cbc

Now we can configure the device.

# vnconfig vnd0 /usr/swapfile
# cgdconfig cgd0 /dev/vnd0c /etc/cgd/swapfile

Replace /dev/vnd0c with /dev/vnd0d if necessary.
Disklabel the cgd with disklabel -I -e cgd0, it will should look something like this.

# /dev/rcgd0c:
type: cgd
disk: cgd
label: default label
flags:
bytes/sector: 512
sectors/track: 2048
tracks/cylinder: 1
sectors/cylinder: 2048
cylinders: 64
total sectors: 131072
rpm: 3600
interleave: 1
trackskew: 0
cylinderskew: 0
headswitch: 0           # microseconds
track-to-track seek: 0  # microseconds
drivedata: 0 

3 partitions:
#        size    offset     fstype [fsize bsize cpg/sgs]
 c:    131072         0       swap                     # (Cyl.      0 -     63)

Note: Depending on which archictecture you use, you may need a different layout.
Like this on an i386:

 a:    131072         0       swap                     # (Cyl.      0 -    63)
 d:    131072         0     unused      0     0        # (Cyl.      0 -    63)

Depending on which partition your architecture uses as raw partition. If unsure, check with:

# sysctl kern.rawpartition
kern.rawpartion=3

Back it up so it can be used later.

# disklabel cgd0 > /etc/cgd/swapfile.disklabel

Use it (finally).

# swapctl -a /dev/cgd0c

Now you have working encrypted swap over nfs. To check its status:

# swapctl -l
Device      512-blocks     Used    Avail Capacity  Priority
/dev/cgd0c      131072     9696   121376     7%    0

Use the swapspace at every reboot

Using this swapspace automatically at every reboot is a little tricky since it can not be put int /etc/fstab, but it can be done in another way. And I have already done the work for you. Check that the variables make sense on your system. E.g that you used vnd0 and cgd0 and RAW_PART is right for your architecture. Create the file /etc/rc.conf.d/swap containing the following.

# Initialize cgd over vnd swap, suitable for nfs-swap.
#
# Note: We can NOT put this swapfile in /etc/fstab, this is why
# this is relatively complicated. 
#
# If this is the only swapspace you have configured then you can set
# no_swap=YES in rc.conf, otherwise the system will complain every boot.
#
# IMPORTANT:
# $swapfile has to be in $critical_filesystems_remote. /usr is by default
#
vnd_device="vnd0"
cgd_device="cgd0"
swapfile="/usr/swapfile"
paramsfile="/etc/cgd/swapfile"
swap_disklabel="/etc/cgd/swapfile.disklabel"
RAW_PART="c"                    # <- change to suit your arch
SWAP_PART="c"                   # <- change to same as the disklabel
start_postcmd="cryptovnd_swap"
stop_cmd="cryptovnd_stop"       # Note: We have to override stop_cmd

cryptovnd_swap()
{
        # Since there is only one swap-variable in rc.conf we have to
        # check that we are being called from swap2.
        if [ $name = "swap1" ]; then
                return
        fi
        if [ -f $swapfile ]; then
                echo "Configuring cgd over vnd swap."
                eval `stat -L -s $swapfile`
                if [ `echo $st_uid+$st_gid|bc` != 0 ]; then
                        echo "$swapfile MUST be owned by root and group wheel"
                        echo "$swapfile not used as swap."
                        return 1
                else
                        if [ ! -f $swap_disklabel ]; then
                                echo "No $swap_disklabel."
                                echo "$swapfile can not be used as swap."
                                return 1
                        fi
                        if [ $st_mode != "0100600" ]; then
                                echo "$swapfile MUST have permission 600"
                                echo "$swapfile not used as swap."
                                return 1
                        fi
                fi
                vnconfig $vnd_device $swapfile
                cgdconfig $cgd_device /dev/${vnd_device}$RAW_PART $paramsfile
                disklabel -R -r $cgd_device $swap_disklabel
                swapctl -a /dev/${cgd_device}$SWAP_PART
        fi
}

cryptovnd_stop()
{
        if [ $name = "swap2" ]; then
                swapctl -d /dev/${cgd_device}$SWAP_PART
                cgdconfig -u $cgd_device
                vnconfig -u $vnd_device
                swapctl -U -t noblk
        else
                swap1_stop
        fi
}

Some issues and notes

• Do not include this cgd in /etc/cgd/cgd.conf
• It could happen that there isn't enough entropy in the kernel to initialize the swap partition. If so, you can add your NIC to the entropy pool in /etc/rc.conf with /sbin/rndctl -ced ne0 if you have a ne(4) NIC.
• If this is the only swapspace configured, set the variable no_swap=YES in /etc/rc.conf or the system will complain every boot.

Additional Information

• vnconfig(8) Manpage
• cgdconfig(8) Manpage
• swapctl(8) Manpage
• disklabel(8) Manpage