Swap: Difference between revisions

(15 intermediate revisions by 2 users not shown)

Line 1:

[[Category:Configuration]]

Swap ~~provides additional~~ virtual memory ~~by extending~~ physical RAM. This can be accomplished by using space on disk, such as [[#Swap file|swap file]] or [[#Swap partition|swap partition]], or through compression based methods like [[#Zram swap|zram]]. Additionally, [[#Zswap swap cache|zswap]] can act as a RAM-based compressed cache sitting in front of a traditional disk-based swap device.

Swap allows "cold" pages of virtual memory to be stored in places other than directly in the physical RAM, effectively allowing more pages to be stored. This can be accomplished by using space on disk, such as [[#Swap file|swap file]] or [[#Swap partition|swap partition]], or through compression based methods like [[#Zram swap|zram]]. Additionally, [[#Zswap swap cache|zswap]] can act as a RAM-based compressed cache sitting in front of a traditional disk-based swap device.

= Configuration =

Line 28:

}}

This will create a 16GB swapfile at <code>/var/lib/swapfile</code>. The <code>size</code> value [https://search.nixos.org/options?show=swapDevices.*.size is specified in megabytes]

This will create a 16GB swapfile at <code>/var/lib/swapfile</code>. The <code>size</code> value [https://search.nixos.org/options?show=swapDevices.*.size is specified in megabytes]. This will cause a swap file to be generated and an entry to be set up in <code>/etc/fstab</code>.

== Swap partition ==

Swap partitions are typically created during the initial disk partitioning phase of a NixOS installation. For instructions on creating swap partitions, see the relevant NixOS manual sections for [https://nixos.org/manual/nixos/stable/#sec-installation-manual-partitioning-UEFI UEFI]/[https://nixos.org/manual/nixos/stable/#sec-installation-manual-partitioning-MBR MBR] partition schemes and [https://nixos.org/manual/nixos/stable/#sec-installation-manual-partitioning-formatting formatting].

Swap partitions can be defined in <code>configuration.nix</code> like above or (if GPT) be automatically discovered by <code>systemd-gpt-auto-generator(8)</code>. Using the former allows you to have some control over swap mounting options and to enable features such as encrypted swap.

== Zram swap ==

Line 59:

Line 61:

enable = true;

writebackDevice = "/dev/sda1"

};

</nowiki>

}}

Line 108:

Line 111:

</syntaxhighlight>

If you are using GPT partitioning tables, <code>systemd-gpt-auto-generator(8)</code> will still mount your swap partition automatically. You must therefore turn on attribute 63 ("no ~~automount~~") on ''each'' swap partition partition in the partition table. This can be done with gptfdisk or similar:

If you are using GPT partitioning tables, <code>systemd-gpt-auto-generator(8)</code> will still mount your swap partition automatically. You must therefore turn on attribute 63 ("no-auto") on ''each'' swap partition partition in the partition table. This can be done with gptfdisk or similar:

Line 132:

Line 135:

=== discard ===

Solid state drives have fast random access times, which make them great for swap if you ignore the limited lifespan. Enabling TRIM (discard) on the swap files can help avoid unnecessary copy actions on the SSD, helping ~~with~~ performance ~~and slightly reducing wear~~.

Solid state drives have fast random access times, which make them great for swap if you ignore the limited lifespan. Enabling TRIM (discard) on the swap files can help avoid unnecessary copy actions on the SSD, reducing wear and potentially helping increase performance.

swapDevices = [{

Line 139:

Line 142:

}];

</syntaxhighlight>

A lower-impact option is <code>"discard=once"</code>, which runs discard exactly once when the swap is enabled, but does not continually issue discard commands as pages are being overwritten. This could make more sense depending on your hardware.

<code>systemd-gpt-auto-generator(8)</code> does not automatically enable <code>discard</code>. Also, never enable <code>discard</code> on mdadm RAID setups, as ArchWiki reports that it causes lockup.

Line 144:

Line 149:

== Encrypt swap with random key ==

~~Swap~~ can ~~be automatically encrypted~~ with a new key on every boot. This ~~can be~~ used to ~~simplify certain disk layouts~~, ~~such as securing~~ a swap file on a ~~filesystem~~ partition ~~without~~ an ~~encryption container (such as LUKS)~~.

Because data from memory is evicted into swap, any secret data in memory can also end up in swap. Because the disks backing the swap is often nonvolatile (data is not lost after power cut), this can represent another way for data to end up in the wrong hands if you computer is seized.

By encrypting the swap with a random key kept in memory, we make sure that the contents of the swap become unreadable as soon as the data in memory has been lost. NixOS contains a handy helper to help you do this, generating a new key on each boot:

<syntaxhighlight lang="nix">swapDevices = [{

device = "/dev/disk/by-partuuid/aaaaaaaaa-bbbb-cccc-dddd-0123456789ab";

randomEncryption.enable = true;

}];</syntaxhighlight>

The selected device will have all its content made unusable at every boot. Using a partuuid or partlabel is recommended because it is less subject to change when the overall partition scheme changes.

If you want to use TRIM, set <code>randomEncryption.allowDiscards</code> in addition to the <code>options</code>. This has the security implication of:

* telling whoever gets ahold of your swap drive which parts are being actually used (bad),

* telling your SSD to not give out the data in unused parts and to not try to keep them around during garbage collection (good).

You will need to weigh between the two.

'''Warning:''' On some NixOS versions, if <code>randomEncryption.enable = true</code> and the <code>swap</code> is a file (rather than a partition) located on an encrypted LUKS partition, [https://discourse.nixos.org/t/swap-file-on-luks-partition/72234 the system can freeze as soon as the swap is used.]

Using a random key makes hibernation impossible. If you want to use hibernation, use a regular [[Full Disk Encryption]] with a fixed key. Alternatively, you can encrypt the swap partition separately:

== Encrypt swap partition with password or fixed key ==

If you prefer to encrypt the swap partition individually, first create an unformatted partition of the desired size, for example using <code>gparted</code>. In the following, the partition is <code>/dev/sdXY</code>. Then<syntaxhighlight lang="bash">

sudo cryptsetup luksFormat /dev/sdXY --label lb_luks_swap

sudo cryptsetup luksOpen /dev/disk/by-label/lb_luks_swap swap

sudo mkswap /dev/mapper/swap -L lb_swap

</syntaxhighlight>When asked, provide a password for unlocking the partition.

This will create

* a LUKS container on the unformatted partition with label <code>lb_luks_swap</code>

* open it and mount it under <code>/dev/mapper/swap</code>,

* format it as swap with label <code>lb_swap</code>.

If all is correct, block devices should look similar to:<syntaxhighlight lang="bash">

$ lsblk -o +LABEL

...

└─sdaXY 259:16 0 128G 0 part lb_luks_swap

└─lb_swap 254:0 0 128G 0 crypt [SWAP] lb_swap

...

</syntaxhighlight>To tell NixOS to use this partition for swap, add to <code>hardware-configuration.nix</code>:<syntaxhighlight lang="nix">

swapDevices = [{

device = "/dev/~~sdXY~~";

device = "/dev/disk/by-label/lb_swap";

~~randomEncryption.~~enable = true;

encrypted = {

enable = true;

label = "swap";

blkDev = "/dev/disk/by-label/lb_luks_swap";

};

}];

</syntaxhighlight>

</syntaxhighlight>This automatically adds the swap partition to <code>boot.initrd.luks.devices</code> so that <code>initrd</code> will ask for a password on reboot. initrd will automatically try to use the same password on any other LUKS volumes listed in <code>boot.initrd.luks.devices</code>. Therefore if you use the same password for other volumes you will only have to type it once. If all went well, the swap partition should be mapped at <code>/mapper/swap</code> and <code>/dev/disk/by-id/lb_swap</code>.

It is also possible to specify a key file using the <code>--key-file</code> argument to <code>luksFormat</code> and <code>luksOpen</code>. Be aware that the system needs access to this file during boot, so if the key itself is stored on an encrypted volume, it may be tricky to get the unlock sequencing right.

== Adjusting swap usage behaviour ==

@@ Line 1: / Line 1: @@
 [[Category:Configuration]]
-Swap provides additional virtual memory by extending physical RAM. This can be accomplished by using space on disk, such as [[#Swap file|swap file]] or [[#Swap partition|swap partition]], or through compression based methods like [[#Zram swap|zram]]. Additionally, [[#Zswap swap cache|zswap]] can act as a RAM-based compressed cache sitting in front of a traditional disk-based swap device.
+Swap allows "cold" pages of virtual memory to be stored in places other than directly in the physical RAM, effectively allowing more pages to be stored. This can be accomplished by using space on disk, such as [[#Swap file|swap file]] or [[#Swap partition|swap partition]], or through compression based methods like [[#Zram swap|zram]]. Additionally, [[#Zswap swap cache|zswap]] can act as a RAM-based compressed cache sitting in front of a traditional disk-based swap device.
 = Configuration =
@@ Line 28: / Line 28: @@
 }}
-This will create a 16GB swapfile at <code>/var/lib/swapfile</code>. The <code>size</code> value [https://search.nixos.org/options?show=swapDevices.*.size is specified in megabytes]
+This will create a 16GB swapfile at <code>/var/lib/swapfile</code>. The <code>size</code> value [https://search.nixos.org/options?show=swapDevices.*.size is specified in megabytes]. This will cause a swap file to be generated and an entry to be set up in <code>/etc/fstab</code>.
 == Swap partition ==
 Swap partitions are typically created during the initial disk partitioning phase of a NixOS installation. For instructions on creating swap partitions, see the relevant NixOS manual sections for [https://nixos.org/manual/nixos/stable/#sec-installation-manual-partitioning-UEFI UEFI]/[https://nixos.org/manual/nixos/stable/#sec-installation-manual-partitioning-MBR MBR] partition schemes and [https://nixos.org/manual/nixos/stable/#sec-installation-manual-partitioning-formatting formatting].
+Swap partitions can be defined in <code>configuration.nix</code> like above or (if GPT) be automatically discovered by <code>systemd-gpt-auto-generator(8)</code>. Using the former allows you to have some control over swap mounting options and to enable features such as encrypted swap.
 == Zram swap ==
@@ Line 59: / Line 61: @@
    enable = true;
    writebackDevice = "/dev/sda1"
+};
 </nowiki>
 }}
@@ Line 108: / Line 111: @@
 </syntaxhighlight>
-If you are using GPT partitioning tables, <code>systemd-gpt-auto-generator(8)</code> will still mount your swap partition automatically. You must therefore turn on attribute 63 ("no automount") on ''each'' swap partition partition in the partition table. This can be done with gptfdisk or similar:
+If you are using GPT partitioning tables, <code>systemd-gpt-auto-generator(8)</code> will still mount your swap partition automatically. You must therefore turn on attribute 63 ("no-auto") on ''each'' swap partition partition in the partition table. This can be done with gptfdisk or similar:
 <syntaxhighlight lang="console">
@@ Line 132: / Line 135: @@
 === discard ===
-Solid state drives have fast random access times, which make them great for swap if you ignore the limited lifespan. Enabling TRIM (discard) on the swap files can help avoid unnecessary copy actions on the SSD, helping with performance and slightly reducing wear.
+Solid state drives have fast random access times, which make them great for swap if you ignore the limited lifespan. Enabling TRIM (discard) on the swap files can help avoid unnecessary copy actions on the SSD, reducing wear and potentially helping increase performance.
 <syntaxhighlight lang="nix">
 swapDevices = [{
@@ Line 139: / Line 142: @@
 }];
 </syntaxhighlight>
+A lower-impact option is <code>"discard=once"</code>, which runs discard exactly once when the swap is enabled, but does not continually issue discard commands as pages are being overwritten. This could make more sense depending on your hardware.
 <code>systemd-gpt-auto-generator(8)</code> does not automatically enable <code>discard</code>. Also, never enable <code>discard</code> on mdadm RAID setups, as ArchWiki reports that it causes lockup.
@@ Line 144: / Line 149: @@
 == Encrypt swap with random key ==
-Swap can be automatically encrypted with a new key on every boot.  This can be used to simplify certain disk layouts, such as securing a swap file on a filesystem partition without  an encryption container (such as LUKS).
+Because data from memory is evicted into swap, any secret data in memory can also end up in swap. Because the disks backing the swap is often nonvolatile (data is not lost after power cut), this can represent another way for data to end up in the wrong hands if you computer is seized.
+By encrypting the swap with a random key kept in memory, we make sure that the contents of the swap become unreadable as soon as the data in memory has been lost. NixOS contains a handy helper to help you do this, generating a new key on each boot:
+<syntaxhighlight lang="nix">swapDevices = [{
+  device = "/dev/disk/by-partuuid/aaaaaaaaa-bbbb-cccc-dddd-0123456789ab";
+  randomEncryption.enable = true;
+}];</syntaxhighlight>
+The selected device will have all its content made unusable at every boot. Using a partuuid or partlabel is recommended because it is less subject to change when the overall partition scheme changes.
+If you want to use TRIM, set <code>randomEncryption.allowDiscards</code> in addition to the <code>options</code>. This has the security implication of:
+* telling whoever gets ahold of your swap drive which parts are being actually used (bad),
+* telling your SSD to not give out the data in unused parts and to not try to keep them around during garbage collection (good).
+You will need to weigh between the two.
+'''Warning:''' On some NixOS versions, if <code>randomEncryption.enable = true</code> and the <code>swap</code> is a file (rather than a partition) located on an encrypted LUKS partition, [https://discourse.nixos.org/t/swap-file-on-luks-partition/72234 the system can freeze as soon as the swap is used.]
+Using a random key makes hibernation impossible. If you want to use hibernation, use a regular [[Full Disk Encryption]] with a fixed key. Alternatively, you can encrypt the swap partition separately:
+== Encrypt swap partition with password or fixed key ==
+If you prefer to encrypt the swap partition individually, first create an unformatted partition of the desired size, for example using <code>gparted</code>. In the following, the partition is <code>/dev/sdXY</code>. Then<syntaxhighlight lang="bash">
+sudo cryptsetup luksFormat /dev/sdXY --label lb_luks_swap
+sudo cryptsetup luksOpen /dev/disk/by-label/lb_luks_swap swap
+sudo mkswap /dev/mapper/swap -L lb_swap
+</syntaxhighlight>When asked, provide a password for unlocking the partition.
-<syntaxhighlight lang="nix">
+This will create
+* a LUKS container on the unformatted partition with label <code>lb_luks_swap</code>
+* open it and mount it under <code>/dev/mapper/swap</code>,
+* format it as swap with label <code>lb_swap</code>.
+If all is correct, block devices should look similar to:<syntaxhighlight lang="bash">
+$ lsblk -o +LABEL
+...
+└─sdaXY      259:16   0   128G  0 part                 lb_luks_swap
+  └─lb_swap  254:0    0   128G  0 crypt [SWAP]         lb_swap
+...
+</syntaxhighlight>To tell NixOS to use this partition for swap, add to <code>hardware-configuration.nix</code>:<syntaxhighlight lang="nix">
 swapDevices = [{
-   device = "/dev/sdXY";
+   device = "/dev/disk/by-label/lb_swap";
-   randomEncryption.enable = true;
+   encrypted = {
+    enable = true;
+    label = "swap";
+    blkDev = "/dev/disk/by-label/lb_luks_swap";
+  };
 }];
-</syntaxhighlight>
+</syntaxhighlight>This automatically adds the swap partition to <code>boot.initrd.luks.devices</code> so that <code>initrd</code> will ask for a password on reboot. initrd will automatically try to use the same password on any other LUKS volumes listed in <code>boot.initrd.luks.devices</code>. Therefore if you use the same password for other volumes you will only have to type it once. If all went well, the swap partition should be mapped at <code>/mapper/swap</code> and <code>/dev/disk/by-id/lb_swap</code>.
+It is also possible to specify a key file using the <code>--key-file</code> argument to <code>luksFormat</code> and <code>luksOpen</code>. Be aware that the system needs access to this file during boot, so if the key itself is stored on an encrypted volume, it may be tricky to get the unlock sequencing right.
 == Adjusting swap usage behaviour ==