As we already know from PC-BSD version 1.11 there is feature for memory based temp filesystem aka tmpmfs. Sometimes we extract files temporarily for viewing and use passwords for logging into websites or other systems- if swap space is used it is stored here as plain text. We don't want to reveal any password for suckers who accidentally stoled our notebooks or computers, so we want to encrypt this space.

Easy way of achieve this is to use (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/swap-encrypting.html) gbde(8):

the .bde suffix should be added to the device in the respective /etc/fstab swap line:
# Device Mountpoint FStype Options Dump Pass#
/dev/ad0s1b.bde none swap sw 0 0

the following line in /etc/rc.conf is also needed:
gbde_swap_enable="YES"

Reboot.
# swapinfo
Device 1K-blocks Used Avail Capacity
/dev/ad0s2b.bde 1016784 0 1016784 0%
Enjoy privacy.

You can enjoy this feature starting from PC-BSD 1.4 release. Can be turned on/off from System tool.

won't this slow things down Antik?

won't this slow things down Antik?

I perform tests and then I post results.

I found interesting document (http://www.bsdcan.org/2006/papers/FilesystemPerformance.pdf)about freebsd filesystem performance.

Thanks antik I'm deffo putting this on my laptop since I forewent the tmpmfs to use /var/tmp in it's place.

___Side Note____
I've never seen PCBSD use swap space on any of my boxes (384MB shared with Gfx chip ~ 2048MB System). And I have a tendancy to use lots of applications. From running firefox, gimp, several konsoles/xterms, note takers, 2 or more word processor/text editors. Music or Video, System /or battery monitor, and the occasional game. e.t.c.

I remember on my oldest machine at any one time their'd be 130~150 processes. How ever that stands up to UNIX it sure beats the hell out of Windows for speed with just 30~50.

I could see it's (swap) use on low low (now're days) memory systems or highly loaded servers. But I've yet to see it blip the scalls any on my desktop computing.

I'm taring PBI directory with files onto /tmp directory that is tmpmfs filesystem.
# du -sh /home/antik/PBI
321M /home/antik/PBI

With swap encryption enabled:
# /usr/bin/time -h tar -cf /tmp/test.tar /home/antik/PBI
tar: Removing leading '/' from member names
1. 22.71s real 0.18s user 1.85s sys
2. 1m7.67s real 0.25s user 2.11s sys
3. 1m16.72s real 0.22s user 2.27s sys

File copy test 700MB:
# /usr/bin/time -h cp testfile.bin /tmp/
1. 2m7.97s real 0.00s user 4.35s sys
2. 2m20.20s real 0.02s user 4.34s sys
3. 2m23.81s real 0.01s user 4.30s sys

Average: 5,11MB/s

With standard swap space:
# /usr/bin/time -h tar -cf /tmp/test.tar /home/antik/PBI
tar: Removing leading '/' from member names
1. 24.83s real 0.19s user 1.91s sys
2. 28.81s real 0.16s user 1.98s sys


File copy test 700MB:
# /usr/bin/time -h cp testfile.bin /tmp/
1. 42.17s real 0.00s user 3.83s sys
2. 1m39.05s real 0.00s user 4.15s sys
3. 56.92s real 0.02s user 4.01s sys

Average: 11,78MB/s

As you see, difference is not soo big and my computer got only AMD AthlonXP 2500+(1,8GHz) with 512MB of ram.

Is their any way to ecrypt a partition without having to reformat it (such as /) and or without having to use a passphrase at boot?

I usually use the autologin on my laptop when at home. So using the tmpfs + encypted swap in conjunction with clearing and autologin before leaving home would be easier then yet another hard to guess password.

Is their any way to ecrypt a partition without having to reformat it (such as /) and or without having to use a passphrase at boot?

I usually use the autologin on my laptop when at home. So using the tmpfs + encypted swap in conjunction with clearing and autologin before leaving home would be easier then yet another hard to guess password.

I think this is not possible right now, but you can use file based disks. More information here (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html).

Thank you.

This is actually simpler to do now, as it's turned on by default in FreeBSD 6.0 onward. The encswap script will make a pass through /etc/fstab and set up the devices before the swapon -a. All you have to do is add a .eli to every swap partition and reboot.

This is actually simpler to do now, as it's turned on by default in FreeBSD 6.0 onward. The encswap script will make a pass through /etc/fstab and set up the devices before the swapon -a. All you have to do is add a .eli to every swap partition and reboot.

Thanks for information. I tried eli and it works just fine- with faster cpu-s there is no noticeable difference in speed.

I'm a bit lost here:

/dev/disklabel.eli for / AND
/dev/disklabel.bde for swap

not
/dev/disklabel.bde.eli for swap only, right? My fstab is currently:


# Device Mountpoint FStype Options Dump Pass#
/dev/ad0s1b.bde none swap sw 0 0
/dev/ad0s1a / ufs rw 1 1
/dev/fd0 /mnt/fd0 auto rw,noauto 0 0
/dev/cd0 /mnt/cdrom0 auto ro,noauto 0 0

I'm a bit lost here:

/dev/disklabel.eli for / AND
/dev/disklabel.bde for swap

not
/dev/disklabel.bde.eli for swap only, right? My fstab is currently:


I don't know if you can use two different encryptions schemes at once.

So If I used .eli, would it keep my swap encrypted AND do the rest of my regular data, or do I have to choose one or the other but not both? Thanks.

So If I used .eli, would it keep my swap encrypted AND do the rest of my regular data, or do I have to choose one or the other but not both? Thanks.

Yes it is encrypted then but use only one method your prefer. All other data is kept intact.

OK. So If I wanted crypted swap, I'd have to secure my data files in another way (mcrypt, truecrypt, etc.)?

Also, I've noticed that BSD is very good at doing this crypt stuff in the background. Unlike in Linux, I don't notice and slow-downs when I enable stuff like this, though programs tend to execute slightly more slowly in BSD than in Linux.

You can't just add a .eli to a partition and get it encrypted, it needs to be setup with a keyfile and passphrase using geli init or gbde init, then attached with geli attach. The swap can do this because you never need the
information on the swap space on the next boot, so it can use a random key and get away with it.

You can nest encryption scheme's however it's extremely slow.

DO NOT JUST GELI INIT A PARTITION. geli init doesn't do any detection or conversion whatsoever, this means that when you do say geli init /dev/ad0s1a, it WILL overwrite the disk and create a fresh empty /dev/ad0s1a.eli device for you to format and use. Also, you can't directly boot from an encrypted partition or disk. You can however prepare new disks, and encrypt those.

http://www.freebsd.org/doc/en_US.ISO885 ... pting.html (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/disks-encrypting.html)

(and sorry for posting relatively late, but I wanted to clear up those two points so nobody looks through the old posts and thinks that they can, and then find they can't boot anymore :))

Being to lazy is why only my laptops swap space is encrypted and the other partitions are not.