I have what I think is a quick question: Is running ecryptfs-setup-swap
on a system that didn't have home-directory or swap encryption enabled when it was installed persistent? The man page at http://manpages.ubuntu.com/manpages/precise/man1/ecryptfs-setup-swap.1.html states that ecryptfs-setup-swap
"will detect existing swap partitions or swap files, and encrypt them, using cryptsetup." I don't understand whether ecryptfs-setup-swap
needs to be run every time the system is booted, or if it just needs to be run once to make a permanent change to how swap space is handled by the system. If the change is permanent, is it permanent for all users on the system, or just the one that runs ecryptfs-setup-swap
(I may be confused about how swap space works in general, I realize)?
To be clear, I do understand that I also need to run ecryptfs-migrate-home
on the system to encrypt the home directory for my user account, and that that change will be persistent. I'm just confused about how swap space is handled.
I would appreciate any information to help me understand better! Thank you!
P.S. A tutorial at http://bodhizazen.com/Tutorials/Ecryptfs states that after using ecryptfs-setup-swap
, "a new entry for your encrypted swap is automatically generated in /etc/fstab , but unfortunately as of this writing ,the old entry is not removed and you must remove it manually (or suffer error messages when you boot)." Is that still true?
Full disclosure: I have also posted this question at https://superuser.com/questions/576097/is-ecryptfs-setup-swap-persistent. Once the question is answered either here or there, I will take down the unanswered instance.
Best Answer
Running
ecryptfs-setup-swap
makes permanent changes to/etc/fstab
and/etc/crypttab
that ensure your swap space is encrypted at every boot.A random key is generated and used to encrypt swap at each boot.
The only exception to the above occurs if you add new swap files or swap partitions after you've run
ecryptfs-setup-swap
, as it only operates on the swap space present at that time.Full disclosure: I'm the author and maintainer of eCryptfs and
ecryptfs-setup-swap
.