Setting up an encrypted swap disk

6.10 LPAR mode z/VM guest KVM guest

You can use a volatile protected key generated by the pkey device driver to encrypt a swap disk.

About this task

Because swap disks are discarded on reboot, volatile encryption keys are an option. You can generate volatile protected keys or secure keys from random data.

Important: Use a protected key based on random data for cases where the key is not needed after a reboot. In particular, do not use such a key in a guest that might be subject to:
  • KVM guest migration
  • z/VM® live guest relocation in a single system image (SSI)
Also, do not use such a key in any Linux® instance that might be subject to:
  • Suspend and resume

Procedure

  1. Add an entry to /etc/crypttab. To encrypt the swap device using a protected key, the entry must point to one of the sysfs attributes within the protkey directory. Use the attribute for the required key type (see Generating volatile protected keys by using the pkey device driver).
    For example:
    # <name>   <device>     <password>                                           <options>
  swap     /dev/dasdx   /sys/devices/virtual/misc/pkey/protkey/protkey_aes_256_xts   swap,\
                                                   cipher=paes-xts-plain64,size=1280
    The swap option causes an mkswap to be performed after the dm-crypt device is set up.
    Tip: Consider adding the sector-size=4096 option to increase the performance of dm-crypt encrypted disks with large block sizes.
  2. Add an entry to /etc/fstab to use the device-mapper device swap as swap device:
    For example:
    <filesystem>      <dir>      <type>      <options>      <dump>       <pass>
/dev/mapper/swap  none       swap        defaults       0            0
  3. Ensure that the pkey kernel module is loaded during system startup before /etc/crypttab is evaluated.
    If your distribution uses systemd, check that a configuration file such as pkey.conf is in the /etc/modules-load.d/ directory. The configuration file must contain:
    pkey

    The /etc/modules-load.d/, causes the modules to be loaded early during startup, before the swap disk is initiated.

Results

During system startup, /etc/crypttab is evaluated, and a dm-crypt device is set up in plain mode as a swap device, using protected key AES in XTS cipher mode. The random protected AES key is read from /sys/devices/virtual/misc/pkey/protkey/protkey_aes_256_xts. Its size is 2x80 bytes, which is 1280 bits.

Linux now runs with a swap device that is encrypted with a protected key.