FreeBSD : Inexpensive and simple swap encryption
It has been a while that I did not put up any post. Here a short note on swap space encryption with FreeBSD geom geli(8). This feature was there for quite sometimes.
Enabling swapspace encryption with geli
Only 2 files are required to be edited, /etc/fstab and /boot/loader.conf. Change your swap partition in /etc/fstab with suffix “.eli” (i.e. ad1s1b.eli) and enable geom_eli kernel module in /boot/loader.conf with “geom_eli_load=”YES”“. Your swap space will be encrypted on next reboot.
Alternatively, you can enable it without reboot with the steps below.
# swapoff /dev/ad0s1b
# kldload geom_eli
# geli onetime -e blowfish -l 128 -s 4096 -d ad0s1b
# swapon /dev/ad0s1b.eli
Note : you can refer to geli(8) manpage for more algorithm options. I used blowfish on the above example.
Verifying if swap space encryption is enabled
# dmesg | grep GEOM_ELI
GEOM_ELI: Device ad0s1b.eli created.
GEOM_ELI: Encryption: Blowfish-CBC 128
GEOM_ELI: Crypto: software
# geli list
Geom name: ad0s1b.eli
EncryptionAlgorithm: Blowfish-CBC
KeyLength: 128
Crypto: software
Flags: ONETIME, W-DETACH, W-OPEN
Providers:
1. Name: ad0s1b.eli
Mediasize: 2147483648 (2.0G)
Sectorsize: 4096
Mode: r1w1e0
Consumers:
1. Name: ad0s1b
Mediasize: 2147483648 (2.0G)
Sectorsize: 512
Mode: r1w1e1
Back in 2003, I used OpenBSD’s sysctl -w vm.swapencrypt.enable=1 or wm.swapencrypt.enable=1 in /etc/sysctl.conf for swap space encryption and this is made default on OpenBSD 4.3. Compare to FreeBSD implementation, OpenBSD’s method is simpler. However, FreeBSD’s geom geli(8) and gbde(8) offers more than just swap space encryption. It gives the capability to encryption disk partition.
More info can be found in the excellent FreeBSD handbook.
http://www.freebsd.org/doc/en/books/handbook/swap-encrypting.html
My usage has not reached the level that requires high confidentiality on storage. Perhaps, I will do a encrypted file system on my portable harddisk for porns next time. 
