# Swap to Blowfish



## wekers (May 21, 2014)

Dear all,

I try change my swap to Blowfish, no success. I put in rc.conf:

```
geli_swap_flags="-e blowfish -l 128 -s 4096 -d"
```

But it always mounts in AES:


```
$ geli list
Geom name: vtbd0p3.eli
State: ACTIVE
EncryptionAlgorithm: AES-XTS
KeyLength: 128
Crypto: software
Version: 7
Flags: ONETIME, W-DETACH, W-OPEN
KeysAllocated: 1
KeysTotal: 1
Providers:
1. Name: vtbd0p3.eli
   Mediasize: 1073741824 (1.0G)
   Sectorsize: 4096
   Mode: r1w1e0
Consumers:
1. Name: vtbd0p3
   Mediasize: 1073741824 (1.0G)
   Sectorsize: 512
   Stripesize: 0
   Stripeoffset: 82944
   Mode: r1w1e1
```


----------



## Crest (May 22, 2014)

*Re: Swap on blowfish*

FreeBSD 10.0 moved the swap encryption logic from the rc.d script into swapctl. Use the fstab options to configure GELI onetime instances. Don't expect Blowfish to beat AES on modern CPUs. Even without AES-NI or Padlock AES contains more exploitable parallelism. Blowfish requires 4 32Bit memory accesses per round and combines them with minimal computation. This was fast on slow CPUs with a single 32 bit ALU, a single load-store unit and >= 8kB cache. It also introduces cache timing attacks because the S-Box indices are plaintext and key dependent.
Was the fastest secure block cipher on common hardware for many years. Those days are gone. Two other annoying properties of Blowfish are its 64 bit block size and the abysmal key agility. The former limits the amount of cipher text you can store under a single key while the later makes using multiple keys inefficient (each key setup is equivalent to encrypting 8kB of data).


----------



## wekers (May 22, 2014)

I have very limited memory ( 512 MB RAM) and 2 CPUs, so on AES some times *I* have this error:


```
kernel: swap_pager: indefinite wait buffer: bufobj: 0, blkno: 42054, size: 4096
kernel: swap_pager: indefinite wait buffer: bufobj: 0, blkno: 11271, size: 61440
kernel: swap_pager: indefinite wait buffer: bufobj: 0, blkno: 26643, size: 61440
kernel: swap_pager: indefinite wait buffer: bufobj: 0, blkno: 21722, size: 61440
```

Memory usage:

```
freecolor -m -o
              total       used       free     shared    buffers     cached
Mem:           491        256        235          0          0          2
Swap:         1024        175        848
```

I try without encrypted swap, this error until now, not happens more. I also run MySQL and OpenBGPD. So in this case is better to not use encrypted swap?


----------

