Everytime you open files, enter passwords, and do things on your computer, data is being opened in RAM. And over time, that data in RAM can get saved to your swap (located on your hard drive) as the system needs more RAM.

Due to this, sensitive information in RAM can make it onto your swap, and thus your hard drive.

And this data can be recovered later by others.

To prevent this, you can encrypt your swap, making it harder to recover. There are many ways to do this. We will cover a few here.


Encrypting a swap will not protect the system while running. It only protects data when the system is off.

This document assumes you understand command line, creating swaps, editing of system files, etc.


Following these steps could destroy your system, its data, and/or make it unbootable. If that sounds scary, consider learning and then doing these steps on a test system or Virtual Machine that you can loose (snapshot first!).


There’s a file called /etc/crypttab that can be used to specify encrypted devices and files that the system is supposed to load up on boot. On systemd systems this is used by systemd-cryptsetup-generator to create unit files to load the devices/files.

The format is fairly simple. There are four columns. From the man page:

  1. The first field contains the name of the resulting encrypted block device; the device is set up within /dev/mapper/.
  2. The second field contains a path to the underlying block device or file, or a specification of a block device via “UUID=” followed by the UUID.
  3. The third field specifies the encryption password. If the field is not present or the password is set to “none” or “-”, the password has to be manually entered during system boot. Otherwise, the field is interpreted as an absolute path to a file containing the encryption password. (Do not use /dev/random).
  4. The fourth field, if present, is a comma-delimited list of options.

Let’s show some examples of how to do this.

With a Set Password

In this example we will create an encrypted swap device that has a password that must be entered on each boot.


This section introduces the encrypted swap idea. However, with a set password the data is kept between reboots. It is encrypted, but an attacker could recover sensitive data from it if they obtain the password.

See the next sections for creating an encrypted swap with a new randomly generated password for each boot.

Comment out any swap entry(s) in your /etc/fstab file.

To find out what your swap file is:

  • look in /etc/fstab.
  • or use fdisk -l /dev/sdX to list your partitions.

In this example, we’ll say the encrypted swap device is /dev/sdXY.

But before that, fill the device with random data. Otherwise it’s easy to see how much random data is on the drive.


All data will be permanently erased on the drive! As they say: “Measure twice, cut once.”

dd if=/dev/urandom of=/dev/sdXY bs=10M

Now, setup the encryption. The prompted password will need to be entered each time the system starts. (See man cryptsetup for other options).

cryptsetup luksFormat /dev/sdXY

And then mount it up

cryptsetup luksOpen /dev/sdXY cryptswap

It will create a device at /dev/mapper/cryptswap. Anything written here will be encrypted and save to /dev/sdXY as encrypted data.

Now we need to format it as a swap.

mkswap /dev/mapper/cryptswap

And now we can run swapon /dev/mapper/cryptswap and we’ll see it’s in the system.

We don’t want to specify /dev/sdXY in our fstab, because if the partition order (or disk order) is changed, then the system may look in the wrong location for it.

Instead, we’ll specify the uuid of the partition. So find it:

cryptsetup luksDump /dev/sdXY | grep UUID

Which will show something like this, where the second part is the uuid of the encrypted area.

UUID:          	1234567-890ab-cdef-987654321

To start it up when we boot, we need to add it to our /etc/crypttab file:

cryptswap  UUID=1234567-890ab-cdef-987654321  none  luks

That tells it to find the uuid of 1234567-890ab-cdef-987654321 (which will point to /dev/sdXY) as the source device, that is a luks format, and to save it as /dev/mapper/cryptswap. The none says that it requires a password to be created.

Now, that will create the encryption device. But it won’t load the swap. That’s for fstab. In your /etc/fstab put:

/etc/mapper/cryptswap  none  swap  defaults  0 0

which will do the loading of the swap. And that’s it. Next time you reboot, you’ll be prompted to enter your password for your swap.

With a Random Key

Let’s say we have a server, and we want to have the ability to encrypt the swap, but we don’t want to have to enter in the password each time it boots.

Or if we are concerned about data being saved to the swapfile and later recovered, then this can help mitigate it.


Hard drives tend to keep deleted data around. So if the previous key(s) are compromised, an attacker may be able to use those key(s) to decrypt recovered swap data.

To do this, we can either use a keyfile, or have the system create a random key for the swap. The first one is fairly simple, and you can do the same as the above section, substituting in a key for your password (hint: the key option for cryptsetup is --key-file).

But in this example, we will take it one step further and make the swap file make a random key on each boot. That way, what happens on one boot is unknown to the next.

We will use a system that has and LVM setup. If you don’t have that, your can create a single LVM partition on your swap device. The reason for using LVM is so crypttab can easily identify the right location of the device used for the encrypted swap. You see, it’s going to overwrite that partition with the encrypted swap. If it picks your system/data partition by accident, then bye bye data. Thus, using something like /dev/sdXY is a bad choice because if the disk’s partitions should change, you’d loose a partition of data.

And using the uuid won’t work, because it will change on each boot of the system.

So, in this example we will create an encrypted swap on our LVM /dev/mapper/my_vgXY-swap, and it will use a different key on each boot.

First, comment out your current swap entry(s) in /etc/fstab.

We don’t need to create the random device, nor the swap. Crypttab will take care of that. You’ll want to fill the partition up with random data to hide how full/empty it is:


This will permanently erase everything on the selected device!

dd if=/dev/urandom of=/dev/mapper/my_vgXY-swap bs=10M

Once that’s done, put this in your /etc/crypttab file:

cryptswap  /dev/mapper/my_vgXY-swap  /dev/urandom  swap

And then all we have to do is tell fstab to load it but putting this into /etc/fstab:

/dev/mapper/cryptswap  none  swap  defaults  0 0

And we’re done. Reboot, and you will now have an encrypted swap.

Random key but as a swapfile

If you’d like to use the random key, but don’t have a LVM, then you can use a swapfile.

We’ll use the example swapfile of /swapfile42.


This will permanently erase the file /swapfile42! (If it exists)

First, create the file. In the below example, it will create a 1GB (1024MB) swap file. Adjust as desired.

dd if=/dev/urandom of=/swapfile42 bs=1M count=1024 status=progress

Check that it was created correctly.

ls -lh /swapfile42

Now add this to /etc/crypttab

cryptswap42     /swapfile42      /dev/urandom       swap,cipher=twofish-xts-plain64,size=256,hash=sha256

You can use aes-xts-plain64 instead of twofish, if you prefer.

Finally, add it to /etc/fstab

/dev/mapper/cryptswap42  none  swap  defaults  0 0


With that, you now have an encrypted swap with either your own key or a randomly generated one.