SWAP partition encryption is AES-XTS 128

[Phil1295]

I have my pools encrypted in TrueNAS using ZFS native AES256 GCM encryption
I read in various threads that SWAP partitions are always encrypted with AES-XTS 256

However, in the console, using TrueNAS 6.1 (was same on 6.0, not sure previously as I was using GELI encryption):

Code:

Nov 19 08:20:13 truenas GEOM_MIRROR: Device mirror/swap0 launched (2/2).
Nov 19 08:20:13 truenas GEOM_ELI: Device mirror/swap0.eli created.
Nov 19 08:20:13 truenas GEOM_ELI: Encryption: AES-XTS 128
Nov 19 08:20:13 truenas GEOM_ELI:     Crypto: hardware
Nov 19 08:20:13 truenas GEOM_MIRROR: Device mirror/swap1 launched (2/2).
Nov 19 08:20:13 truenas GEOM_ELI: Device mirror/swap1.eli created.
Nov 19 08:20:13 truenas GEOM_ELI: Encryption: AES-XTS 128
Nov 19 08:20:13 truenas GEOM_ELI:     Crypto: hardware
Nov 19 08:20:13 truenas GEOM_MIRROR: Device mirror/swap2 launched (2/2).
Nov 19 08:20:13 truenas GEOM_ELI: Device mirror/swap2.eli created.
Nov 19 08:20:13 truenas GEOM_ELI: Encryption: AES-XTS 128
Nov 19 08:20:13 truenas GEOM_ELI:     Crypto: hardware

I see no where an option to change SWAP encryption to AES256-XTS instead
Any thoughts ?

 

[sretalla]

I don't see the need... swap is memory contents and changed by the system on demand (and in a properly functioning system, shouldn't really be used at all), not files, so there's far less risk of discovery of "secret content".

I don't think spending any time working on securing it further is well spent.

 

[Phil1295]

I don't see the need... swap is memory contents and changed by the system on demand (and in a properly functioning system, shouldn't really be used at all), not files, so there's far less risk of discovery of "secret content".

I don't think spending any time working on securing it further is well spent.

Sure, I have enough RAM
I just was wondering if it was a bug /mis-config on my system or it is so for all TrueNAS installations
The only info I found are a few topics and all mention AES-XTS 256

how swap is managed in freenas

I would like to know how swap space is managed in freenas. Does it use zfs for swap? If it is the case checksum is disabled? Looking in freebsd mailing lists, it seem that is recomended to don't use zfs for swap, and if it is used, is recomended that checksums are disabled. I would like to...

www.truenas.com

Problem on a swap partition after resilvering

Hi guys, I recently replaced an HD in a RaidZ2 (6 identical drives) pool with another one identical drive. The pool is encrypted with GELI, the resilvering process completes without error, data are OK. The problem I am experiencing with relates to the swap partition: every time I unlock the...

www.truenas.com

Can you confirm that even on your system it is AES 128 ?

 

[sretalla]

Yep:

Code:

GEOM_MIRROR: Device mirror/swap0 launched (2/2).
GEOM_ELI: Device mirror/swap0.eli created.
GEOM_ELI: Encryption: AES-XTS 128
GEOM_ELI:     Crypto: hardware
GEOM_MIRROR: Device mirror/swap1 launched (3/3).
GEOM_MIRROR: Device mirror/swap2 launched (3/3).
GEOM_MIRROR: Device mirror/swap3 launched (3/3).
GEOM_MIRROR: Device mirror/swap4 launched (3/3).
GEOM_ELI: Device mirror/swap1.eli created.
GEOM_ELI: Encryption: AES-XTS 128
GEOM_ELI:     Crypto: hardware
GEOM_ELI: Device mirror/swap2.eli created.
GEOM_ELI: Encryption: AES-XTS 128
GEOM_ELI:     Crypto: hardware
GEOM_ELI: Device mirror/swap3.eli created.
GEOM_ELI: Encryption: AES-XTS 128
GEOM_ELI:     Crypto: hardware
GEOM_ELI: Device mirror/swap4.eli created.
GEOM_ELI: Encryption: AES-XTS 128
GEOM_ELI:     Crypto: hardware

 

[Phil1295]

thank you for confirming it was not a bug on my side