1

Things change over time. The latest question I found on this topic was from 2014 and appears to refer to 14.04. We are running 18.04 server. What is the current way to setup swap encryption? Is the preferred process still the same?

The requirements are, on boot clear swap, create a key and enable encryption of swap. On shutdown/reboot, forget key.

The documentation I am being pointed to is for desktop/laptops and is focused on hibernation and forces you to provide a password on boot and so is not a suitable option for servers.

In the comments below I have had suggested:

  • ecryptfs-setup-swap
  • cryptsetup

If we add other currently unknown options to this list, which is the preferred method? I expect this server to last ~5 years. Is one better than another? How?

Zanna
  • 70,465
Paul Chubb
  • 31
  • The issue I am addressing is that things change over time. That question was asked about 4 years ago and so is not reliable information unless someone tells me that this is still the way - hence the question. – Paul Chubb Oct 11 '18 at 00:46
  • That's the thing. Unless you have tried it and it hasn't worked, how will you know that it's not up to date? If noone has updated the answer, then there's a very high likelihood that it still works. If it doesn't work, then by all means open a question, otherwise this is actually a duplicate. – tudor -Reinstate Monica- Oct 11 '18 at 00:48
  • If I was doing disk/home encryption I could use encryptfs and ecrypt which were the recommended way to do this stuff back about 2 years ago. Now Canonical have been clear that they are deprecating that approach in favour of LUKS and whole disk encryption. Both ecrypt and encryptfs still work. Hence the question. Just because it is up here doesn't mean that it is the preferred way of doing things. – Paul Chubb Oct 11 '18 at 00:53
  • You may wish to rephrase your question, then, and include a reference to the Canonical statement that makes you question the existing answers. Canonical's own help system's answer is fundamentally the same approach: https://help.ubuntu.com/community/EnableHibernateWithEncryptedSwap#How_to_Set_Up_Encrypted_Swap_with_a_Fixed_Key – tudor -Reinstate Monica- Oct 11 '18 at 00:57
  • That is referring to encrypted swap and hibernation. Servers don't hibernate and you don't want to hand them passwords on boot. I have updated the question. The reference was to the interview here: https://www.techradar.com/news/ubuntu-bionic-beaver-1804-lts-has-landed/6 and is in reference to ecrypt and encrytpfs vs LUKS. Personally I always ask and try to find out on technology answers from four years ago. – Paul Chubb Oct 11 '18 at 01:09
  • Yep, I'd start with that, then. "According to ..... the process for encrypting swap is now deprecated......" That gives you a justification for the question and makes it on-topic and not a duplicate. Otherwise it gives the impression it's a "just checking in" question which is discouraged. – tudor -Reinstate Monica- Oct 11 '18 at 01:14
  • Have you looked into using the ecryptfs-setup-swap command to make the encrypted swap file for the system? http://manpages.ubuntu.com/manpages/cosmic/man1/ecryptfs-setup-swap.1.html I just did one as a test and it was extremely easy to setup with an existing swap. – Terrance Oct 11 '18 at 02:31
  • Thanks Terrance, is that the preferred method ie the one that is going to be standard for a long time? – Paul Chubb Oct 11 '18 at 03:23
  • Anything in LTS releases will be supported for 5 years. I think the only way you're going to get any closer to the crystal-ball answer to your question is to pay Canonical for support and ask them directly. AskUbuntu is not a Canonical product, it's a community of Ubuntu users. – tudor -Reinstate Monica- Oct 11 '18 at 03:26
  • I think it has been a useful discussion. I certainly know which way to go now... – Paul Chubb Oct 11 '18 at 20:03

1 Answers1

1

The two main approaches for encrypting swap as of Bionic 18.04 are to use cryptsetup/LUKS or ecrypt* tools.

According to Will Cook of Canonical (techradar.com/news/ubuntu-bionic-beaver-1804-lts-has-landed/6) the ecrypt set of tools were moved from main to universe with the release of 18.04. The reasons for this were that the tools were not receiving the level of development and support from the developers that they once were and so they were slowly losing quality and value. Essentially Canonical doesn't have confidence in these tools over the long term and unless something changes, it is safe to say that they are not to be preferred.

As pointed out, the cryptsetup/LUKS tools are in current documentation, albeit for a different use case. They are also in the main line of the repository, which according to the techradar article linked above, makes them first class citizens in the Ubuntu ecosystem.

LUKS is a kernel based encryption scheme. Generally, things that are moved into the kernel are considered the first choice simply because of the long term and considered support. There are many many user space projects that are replaced by kernel based facilities. At the same time, kernel based facilities tend to be replaced rather than simply dying on the tree. IPChains was an example. It was an early kernel based firewall. It was replaced by IPTables/Netfilter.

Cheers Paul

Paul Chubb
  • 31