On Nov 26, 2011, at 2:00 AM, Bob Proulx wrote:
The way I like to set up the system is to set up /boot in its own partition on /dev/sda1. Then set up the rest of the disk in /dev/sda5 as a logical partition for an encrypted partition. Then use that encrypted partition for one large LVM volume. This includes swap. You definitely want to encrypt swap along with everything else.
Unless you are concerned about growing swap at some later date, you should leave swap out of the LVM and encrypt it separately -- with a *random* key.
I.e. something like this in /etc/crypttab:
# Swaphda4_crypt /dev/hda4 /dev/urandom cipher=aes-cbc- essiv:sha256,size=256,swap
You don't have to provide an extra key at boot time for swap (the system generates it automatically).
This way, when the system is turned off, your swap becomes undecipherable.
If you put swap on the LVM, its contents survive a reboot, and therefor can be read by anyone who has the key to the LVM.
Rick