How to encrypt swap

Pierre-Thibault · May 16, 2024, 2:34pm

I found this documentation for encrypting swap.

I added the proposed snippet in my NixOS configuration, but it gives an error at startup.

Has anyone been successful with swap encryption without encrypting the whole disk?

rnhmjoj · May 16, 2024, 5:22pm

You should really post more information about your setup and what error did you get, there are several ways to configure this.
For example, you can use swapDevices.*.encrypted.enable or use a logical volume on a LUKS disk.

I normally use this partitioning scheme with a single LUKS device and several LVM volumes:

NAME             TYPE  MOUNTPOINTS
nvme0n1          disk
├─nvme0n1p1      part  /efi
└─nvme0n1p2      part
  └─crypt        crypt
    ├─crypt-swap lvm   [SWAP]
    ├─crypt-nix  lvm   /
    └─crypt-home lvm   /home

Then I format the swap device (mkswap /dev/crypt/swap -L swap) and then add:

  boot.initrd.luks.devices.<you-luks-device-here> =
    { device  = "/dev/disk/by-uuid/<you-device-uuid>";
      # SSD optimisations
      allowDiscards    = true;
      bypassWorkqueues = true;
    };

  swapDevices = [ { label = "swap"; } ];
  boot.resumeDevice = "/dev/disk/by-label/swap";

Pierre-Thibault · May 17, 2024, 9:33am

Yes, I am sorry. I had an error when I was starting up, and it was displayed very rapidly. I also had difficulties finding back the error in the journal.

Because I was unable to solve the issues I created, I formatted my drive and installed NixOS back. I have NixOS 23.11 on a USB stick. I have instructions to set the encryption. It says," The easiest way is to use the graphical installer and choose “encrypt” while doing the installation. " But I don’t know how to do that. I don’t see a checkbox or another relevant element in the graphical installer to mark my intention to encrypt the disk.

Can you please help me? Still new to NixOS. Where is the option located? I’m using another machine to do the follow-up here.

rnhmjoj · May 17, 2024, 12:11pm

Ok, let’s start from the beginning: what are you trying to achieve exactly?
Full disk encryption (kernel, initrd, root fs are encrypted), root fs encryption (kernel and initrd are in clear), some partition/disk encrypted (like /home, or the swap device).

Pierre-Thibault · May 17, 2024, 12:15pm

OK, I found in the installer that if I choose to use the entire disk for installation, then I can choose to encrypt the disk. I would appreciate it if this option was also available when we decide to partition manually. Maybe in a future version.