Swap: Difference between revisions

@@ Line 146: / Line 146: @@
 == Encrypt swap with random key ==
-Swap can be automatically encrypted with a new key on every boot.  This can be used to simplify certain disk layouts, such as securing a swap file on a filesystem partition without  an encryption container (such as LUKS).
+Because data from memory is evicted into swap, any secret data in memory can also end up in swap. Because the disks backing the swap is often nonvolatile (data is not lost after power cut), this can represent another way for data to end up in the wrong hands if you computer is seized.
+By encrypting the swap with a random key kept in memory, we make sure that the contents of the swap become unreadable as soon as the data in memory has been lost. NixOS contains a handy helper to help you do this, generating a new key on each boot:
 <syntaxhighlight lang="nix">
@@ Line 154: / Line 156: @@
 }];
 </syntaxhighlight>
+If you want to use TRIM, set <code>randomEncryption.allowDiscards</code> in addition to the <code>options</code>. This has the security implication of:
+* telling whoever gets ahold of your swap drive which parts are being actually used (bad),
+* telling your SSD to not give out the data in unused parts (good).
+You will need to weigh between the two.
 == Adjusting swap usage behaviour ==