Bug#795735: partman-crypto: always encrypt swap

[Wouter Verhelst <wouter@debian.org>]

On Sun, Aug 16, 2015 at 03:55:24PM +0200, Lars Wirzenius wrote:
> Could we enable encryption of swap by default, even when full disk
> encryption is not used? As far as I undrestand, there is no
> performance issue for this for most hardware made in the past
> half-decade.

This is obviously wrong. The performance cost may be low to the effect
that it is negligible on "recent hardware", but it is not zero; even if
you run it on custom crypto hardware that wouldn't otherwise be used
except for crypto operation, that would make that hardware unavailable
(or at the very least, less available) for other crypto operations.

> Swap encryption also doesn't require the user to enter a
> password: it can be generated on the fly for each boot.

This also makes it impossible to use suspend-to-disk, as that uses the
swap partition to write the state of the current RAM, which needs to be
reread at boot time; if you encrypt the swap partition with a random
key, you can't read it at the next boot, so you've removed the ability
to use that feature.

-- 
It is easy to love a country that is famous for chocolate and beer

  -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26