Wednesday, December 21, 2011

Encrypted Flash Swap Partition

Flash swap can improve performance on systems with low memory, and its pretty cheap.  My laptop has 4GB of memory, but I run a lot of applications and browser tabs, so I still end up swapping.  Using flash for swap doesn't make much if any difference while you're using a single application, but I do notice a significant speedup when switching to other applications that have been swapped out.  I'm running Ubuntu 10.04 with encrypted home directory, which also encrypts the swap partition, so I want my new flash swap encrypted as well.  I'm using a Verbatim Stay 'n Store 4GB drive ($9 at amazon) , which has a very small physical footprint, so I can just leave it in all the time.

The first step is to set up a swap partition on your flash drive.  Try to pick the USB port where the drive is least likely to get dislodged.  Insert the drive, and linux should automatically recognize it and mount it.  You can use
user@laptop:~$ mount
to see what drives are mounted.  The newly added usb drive should be the last one.  For example, mine looked like this:
/dev/sdc1 on /media/VERBATIM type vfat (rw,nosuid,nodev,uhelper=udisks,uid=1000,gid=1000,shortname=mixed,dmask=0077,utf8=1,flush)
In order to create a swap partition, you need to unmount it first:
user@laptop:~$ umount /dev/sdc1
Then create the swap partition:
user@laptop:~$ sudo mkswap /dev/sdc1
Then enable it with a high priority (so it gets used ahead of the hard disk swap partition):
user@laptop:~$ sudo swapon -p 32767 /dev/sdc1
You can see that it has been added to the list of available swap partitions (cryptswap1 is the pre-existing hard disk encrypted swap partition):
user@laptop:~$ cat /proc/swaps
Filename Type Size Used Priority
/dev/mapper/cryptswap1                  partition 1949688 0 -1
/dev/sdc1                               partition 3875832 0 32767
Note, if you did not install with the encrypted home directory option, you might need to install the crypto utilities:
user@laptop:~$ sudo apt-get install cryptsetup ecryptfs-utils
Now to encrypt the new swap partition:
user@laptop:~$ sudo ecryptfs-setup-swap
WARNING: [/dev/mapper/cryptswap1] already appears to be encrypted, skipping.
WARNING:
An encrypted swap is required to help ensure that encrypted files are not leaked to disk in an unencrypted format.
HOWEVER, THE SWAP ENCRYPTION CONFIGURATION PRODUCED BY THIS PROGRAM WILL BREAK HIBERNATE/RESUME ON THIS SYSTEM!
NOTE: Your suspend/resume capabilities will not be affected.
Do you want to proceed with encrypting your swap? [y/N]: y
INFO: Setting up swap: [/dev/sdc1]
* Stopping remaining crypto disks...                                          
* cryptswap1 (busy)...                                                        
* cryptswap2 (stopped)...                                               [ OK ]
* Starting remaining crypto disks...                                          
* cryptswap1 (running)...                                                    
* cryptswap2 (starting)..
* cryptswap2 (started)...                                               [ OK ] 
Now your /proc/swaps looks different:
laptop:~$ cat /proc/swaps
Filename Type Size Used Priority
/dev/mapper/cryptswap1                  partition 1949688 0 -1
/dev/mapper/cryptswap2                  partition 3875832 0 -2
Also an entry has been added to fstab:
user@laptop:~$ grep cryptswap /etc/fstab
/dev/mapper/cryptswap1 none swap sw 0 0
/dev/mapper/cryptswap2 none swap sw 0 0
Notice that it did not preserve the priority setting. You can fix this for your current session by doing:
user@laptop:~$ sudo swapoff /dev/mapper/cryptswap2
user@laptop:~$ sudo swapon -p 32767 /dev/mapper/cryptswap2
user@laptop:~$ cat /proc/swaps
Filename Type Size Used Priority
/dev/mapper/cryptswap1                  partition 1949688 0 -1
/dev/mapper/cryptswap2                  partition 3875832 0 32767
And fix it for your next reboot forward by changing the entry in /etc/fstab to:
/dev/mapper/cryptswap2 none swap sw,pri=32767 0 0


Sources:
http://www.arsgeek.com/2008/07/24/readyboost-for-linux-a-quick-how-to/
http://www.logilab.org/29155
http://www.brighthub.com/computing/linux/articles/37236.aspx