> For the complete documentation index, see [llms.txt](https://book.bsdcn.org/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://book.bsdcn.org/ask/flat/chapter-25-storage-management/di-25.5-jie-jia-mi-jiao-huan-fen-qu.md). # 25.5 Encrypted Swap Partitions Similar to encrypting disk partitions, encrypted swap space is used to protect sensitive information. For example, applications that handle passwords will not write them to disk as long as the passwords remain in physical memory, and they will be cleared after a reboot. However, if FreeBSD starts swapping out memory pages to free up space, passwords may be written to disk in unencrypted form. Encrypted swap space addresses this issue. This section demonstrates how to configure an encrypted swap partition using geli. Use the `swapinfo` command to view the current swap partition: ```sh $ swapinfo Device 1K-blocks Used Avail Capacity /dev/nda0p2 8388608 0 8388608 0% ``` The output indicates that the current swap partition is **/dev/nda0p2**. ## Configuring Swap Partition Encryption By default, the swap partition is not encrypted. Before enabling encryption, any sensitive data that may exist in the swap partition should be cleared first. Execute the following command to overwrite the current swap partition with random garbage: ```sh # dd if=/dev/urandom of=/dev/nda0p2 bs=1m ``` > **Warning** > > This command carries risks; please carefully confirm the disk partition before proceeding! To use geli(8) to encrypt the swap partition, edit the **/etc/fstab** file and modify the original swap partition entry by adding the **.eli** suffix. The following example configures an encrypted swap partition using the AES-XTS algorithm with a 256-bit key length and a 4 kilobyte sector size: ```ini /dev/nda0p2.eli none swap sw,ealgo=AES-XTS,keylen=256,sectorsize=4096 0 0 ``` By default, geli(8) uses the AES-XTS encryption algorithm with a key length of **128 bits**. For higher security, `keylen=256` can be manually specified. The default settings are sufficient for most needs. If desired, these defaults can be changed in the options field in **/etc/fstab**. Available flags are as follows: | Flag | Description | | -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **aalgo** | Data integrity verification algorithm used to ensure that encrypted data has not been tampered with. Supports HMAC/SHA1, HMAC/RIPEMD160, HMAC/SHA256, HMAC/SHA384, HMAC/SHA512; HMAC/SHA256 is recommended | | **ealgo** | Encryption algorithm used to protect data. Supports AES-XTS, AES-CBC, Camellia-CBC (CBC mode is not recommended for new deployments); the default and recommended algorithm is AES-XTS | | **keylen** | Key length for the encryption algorithm (in bits) | | **sectorsize** | Block size into which data is divided before encryption. A larger sector size improves performance but increases storage overhead. A recommended size is 4096 bytes | ## Verifying the Encrypted Swap Partition After rebooting the system, you can use `swapinfo` to verify that the encrypted swap partition is functioning correctly. ```sh $ swapinfo Device 1K-blocks Used Avail Capacity /dev/nda0p2.eli 8388608 0 8388608 0% ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.bsdcn.org/ask/flat/chapter-25-storage-management/di-25.5-jie-jia-mi-jiao-huan-fen-qu.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.