ecryptfs-setup-swap

ecryptfs-setup-swap

ecryptfs-setup-swap configures an encrypted swap partition or file for systems using eCryptfs stacked filesystem encryption. When eCryptfs encrypts user home directories, the kernel may swap sensitive plaintext pages to unencrypted swap, risking exposure. This tool mitigates that by wrapping swap in dm-crypt with a randomly generated, ephemeral key discarded on shutdown for perfect forward secrecy.

Run as root, it auto-detects the active swap device (via swapon -s) or prompts if multiple. It generates a 32-byte random key, encodes it as base64 passphrase, stores in /etc/ecryptfs/, adds a crypttab(5) entry (e.g., cryptswap /dev/sdXY /dev/mapper/cryptswap none luks), and regenerates initramfs to unlock at boot before activating swap.

Post-setup requires reboot. Swap remains fully functional for performance but encrypted. Ideal for laptops with confidential data. Supports both partitions and files, though files need pre-existing setup.

Requires root privileges. Modifies /etc/crypttab and regenerates initramfs—backup first. Ephemeral key prevents hibernation/resume. eCryptfs deprecated in Ubuntu 20.04+; prefer LUKS. Test boot in live environment. Only one swap supported; resume= in kernel cmdline incompatible.

After reboot, check cryptsetup status cryptswap, dmsetup ls, or dmesg | grep cryptswap. Ensure swapon --show lists encrypted device.

Edit /etc/crypttab remove cryptswap line, update-initramfs -u, swapoff -a, mkswap /dev/sdXY, swapon -a, reboot.

Developed 2008-2009 by Dustin Kirkland et al. for Ubuntu in eCryptfs-utils package. Key component for secure desktop encryption until LUKS adoption post-2019.

cryptsetup(8), ecryptfs-add-passphrase(8), ecryptfs-setup-private(8), update-initramfs(8), swapon(8)