1

Things change over time. The latest question I found on this topic was from 2014 and appears to refer to 14.04. We are running 18.04 server. What is the current way to setup swap encryption? Is the preferred process still the same?

The requirements are, on boot clear swap, create a key and enable encryption of swap. On shutdown/reboot, forget key.

The documentation I am being pointed to is for desktop/laptops and is focused on hibernation and forces you to provide a password on boot and so is not a suitable option for servers.

In the comments below I have had suggested:

  • ecryptfs-setup-swap
  • cryptsetup

If we add other currently unknown options to this list, which is the preferred method? I expect this server to last ~5 years. Is one better than another? How?

Zanna
  • 72,312
Paul Chubb
  • 31

1 Answers1

1

The two main approaches for encrypting swap as of Bionic 18.04 are to use cryptsetup/LUKS or ecrypt* tools.

According to Will Cook of Canonical (techradar.com/news/ubuntu-bionic-beaver-1804-lts-has-landed/6) the ecrypt set of tools were moved from main to universe with the release of 18.04. The reasons for this were that the tools were not receiving the level of development and support from the developers that they once were and so they were slowly losing quality and value. Essentially Canonical doesn't have confidence in these tools over the long term and unless something changes, it is safe to say that they are not to be preferred.

As pointed out, the cryptsetup/LUKS tools are in current documentation, albeit for a different use case. They are also in the main line of the repository, which according to the techradar article linked above, makes them first class citizens in the Ubuntu ecosystem.

LUKS is a kernel based encryption scheme. Generally, things that are moved into the kernel are considered the first choice simply because of the long term and considered support. There are many many user space projects that are replaced by kernel based facilities. At the same time, kernel based facilities tend to be replaced rather than simply dying on the tree. IPChains was an example. It was an early kernel based firewall. It was replaced by IPTables/Netfilter.

Cheers Paul

Paul Chubb
  • 31