# Encrypted swap with geli and md?



## bufo333 (May 7, 2015)

I have used the encrypted swap feature for a while now, but recently I moved from a swap partition to a swap file. This is because my new drive is an SSD and I wanted to make sure I could use TRIM on the part of the disk used for swap.

Typically an encrypted swap file would be used in fstab as below:

```
ada0s1b.eli   none swap sw 0 0
```
And geli(8) would automatically encrypt the swap with a one time key each time the system boots, that way the swap is always non recoverable after a reboot.

However because I wanted to take advantage of TRIM on the SSD I wanted to use a file for the swap instead of a partition. I am not sure if it is possible to do an automatically encrypted swap using GELI like is possible when using a swap partition.

My current fstab looks like this:

```
md99    none     swap   sw,file=/usr/swap/swap   0   0
```


----------



## asteriskRoss (May 8, 2015)

What happens if you specify md99.eli in fstab(5)? Does the entry get processed twice, once as an mdX entry and once as a X.eli entry, which should do what you want?


----------



## bufo333 (May 8, 2015)

asteriskRoss said:


> What happens if you specify md99.eli in fstab(5)? Does the entry get processed twice, once as an mdX entry and once as a X.eli entry, which should do what you want?



I tried that, it gives and error about not recognizing mx99.eli and the swap never loads.


----------



## asteriskRoss (May 8, 2015)

Hmmm... so in that case it is probably being processed as a GELI entry but not a memory disk entry. Perhaps try putting the following in /etc/rc.conf:

```
mdconfig_md99="-t vnode -f /usr/swap/swap"
```
For the entry in /etc/fstab use md99.eli but remove the file option, so it is treated as a GELI entry. If that doesn't work you may need to tweak one of the scripts in /etc/rc.d to tell the script that calls mdconfig(8) to run before the one that calls geli(8). Have a look at the man page for rcorder(8) for how to do that.


----------

