Setting up an encrypted swap disk

7.1 LPAR mode z/VM guest KVM guest

You can use a volatile protected key generated by the pkey device driver to encrypt a swap disk.

About this task

Because swap disks are discarded on reboot, volatile encryption keys are an option. You can generate volatile protected keys or secure keys from random data.

Important: Use a protected key based on random data for cases where the key is not needed after a reboot. In particular, do not use such a key in a guest that might be subject to:
  • KVM guest migration
  • z/VM® live guest relocation in a single system image (SSI)
Also, do not use such a key in any Linux® instance that might be subject to:
  • Suspend and resume

Procedure

  1. Add an entry to /etc/crypttab. To encrypt the swap device using a protected key, the entry must point to one of the sysfs attributes within the protkey directory. Use the attribute for the required key type (see Generating volatile protected keys by using the pkey device driver).
    For example:
    # <name>   <device>     <password>                                           <options>
      swap     /dev/dasdx   /sys/devices/virtual/misc/pkey/protkey/protkey_aes_256_xts   swap,\
                                                       cipher=paes-xts-plain64,size=1280
    The swap option causes an mkswap to be performed after the dm-crypt device is set up.
    Tip: Consider adding the sector-size=4096 option to increase the performance of dm-crypt encrypted disks with large block sizes.
  2. Add an entry to /etc/fstab to use the device-mapper device swap as swap device:
    For example:
    <filesystem>      <dir>      <type>      <options>      <dump>       <pass>
    /dev/mapper/swap  none       swap        defaults       0            0
  3. Normally, the pkey modules are loaded automatically. If you use an encrypted root file system, you might need to add the pkey modules to your kernel module configuration.
    If your distribution uses systemd, check that a configuration file such as pkey.conf is in the /etc/modules-load.d/ directory. Any pkey modules that you want to use must be contained in the configuration file, for example:
    pkey
    pkey_cca
    pkey_pckmo
    pkey_ep11
    pkey_uv
    The pkey modules are:
    • pkey, the base kernel module.
    • pkey_cca for supporting protected keys derived from CCA secure keys.
    • pkey_ep11 for supporting protected keys derived from EP11 secure keys.
    • pkey_pckmo for deriving protected keys from a clear key.
    • Secure execution environment only: pkey_uv for protected key support through the ultravisor.

    The /etc/modules-load.d/, causes the modules to be loaded early during startup, before the swap disk is initiated.

Results

During system startup, /etc/crypttab is evaluated, and a dm-crypt device is set up in plain mode as a swap device, using protected key AES in XTS cipher mode. The random protected AES key is read from /sys/devices/virtual/misc/pkey/protkey/protkey_aes_256_xts. Its size is 2x80 bytes, which is 1280 bits.

Linux now runs with a swap device that is encrypted with a protected key.