Add support for encrypted swap

Update examples/swap.yml to use latest linuxkit/swap image Add comment to examples/swap.yml how to enable encryption Add encrypt options to README Make encrypted swap the default Signed-off-by: Avi Deitcher <avi@deitcher.net>
2025-07-20 09:39:08 +00:00 · 2017-04-29 23:46:57 +03:00 · 2017-04-29 23:46:57 +03:00 · aebd255755
commit aebd255755
parent 805be09669
4 changed files with 19 additions and 9 deletions
--- a/examples/swap.yml
+++ b/examples/swap.yml
@ -48,16 +48,19 @@ onboot:
    rootfsPropagation: shared
    command: ["/mount.sh", "/var/external"]
  - name: swap
-    image: "linuxkit/swap:d089b31acad8a5f6a5f1c368ddd1dfe1d049b100"
+    image: "linuxkit/swap:a881d50445ea27624be67dcda39313e7a2051982"
    net: host
    pid: host
    capabilities:
     - CAP_SYS_ADMIN
+     - CAP_MKNOD
    readonly: true
    binds:
     - /var:/var
     - /dev:/dev
-    command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G"]
+    # to use unencrypted swap, use:
+    # command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G"]
+    command: ["/swap.sh", "--path", "/var/external/swap", "--size", "1G", "--encrypt"]
 services:
  - name: rngd
    image: "linuxkit/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9"
--- a/pkg/swap/Dockerfile
+++ b/pkg/swap/Dockerfile
@ -2,9 +2,9 @@ FROM alpine:3.5

 # swap command - only minimal Alpine install

-# use util-linux to get swapfile utils
-#   at some point, hopefully use our own mkswap and swapon
-RUN apk add --update util-linux
+# use util-linux to get swapfile utils, cryptsetup
+#   at some point, hopefully use our own mkswap and swapon, as well as cryptsetup
+RUN apk add --update util-linux cryptsetup

 # add the entrypoint and make it executable
 COPY . ./
--- a/pkg/swap/README.md
+++ b/pkg/swap/README.md
@ -8,11 +8,12 @@ Normally, unless you are running explicitly in a desktop version, LinuxKit image
 ```
 onboot:
  - name: swap
-    image: "linuxkit/swap:1.0.0"
-    net: none
+    image: "linuxkit/swap:a881d50445ea27624be67dcda39313e7a2051982"
+    net: host
    pid: host
    capabilities:
     - CAP_SYS_ADMIN
+     - CAP_MKNOD
    readonly: true
    binds:
     - /dev:/dev
@ -34,7 +35,8 @@ Options are passed to it via command-line options. The following are the options
 |`--path`|Path to file as seen in the underlying OS||**Yes**||
 |`--size`|Target swapfile size||**Yes**||
 |`--condition`|_condition_||No|Condition that must be met to create a swapfile|
-|`--debug`||No|Turns on verbose output from the command making the swap|
+|`--debug`|||No|Turns on verbose output from the command making the swap|
+|`--encrypt`|||No|Encrypts swapfile|


 #### File
@ -49,6 +51,11 @@ You **always** should put the swap file somewhere under `/var`, since that is wh

 If disk space on the requested partition is insufficient to create the swapfile, the container exits with an error.

+#### Encryption
+If you want the swapfile to be encrypted, pass the `--encrypt` option. It will create an encrypted swapfile at the path you provide to `--path`, using devicemapper to map the clear device to `/dev/mapper/swapfile`.
+
+Encryption is performed using `cryptsetup` with `plain` encryption, using `/dev/urandom` to generate a random keyfile, key size of `256`, and cipher `aes-cbc-essiv:sha256`.
+
 #### Conditions
 You may want to create a swapfile only if certain conditions are met. Supported conditions are:

--- a/pkg/swap/swap.sh
+++ b/pkg/swap/swap.sh
@ -126,7 +126,7 @@ if [ "$ENCRYPT" == "true" ]; then
 	#loop=$(losetup -f)
 	#losetup ${loop} ${path}

-	cryptsetup open --type plain --key-file /dev/urandom --key-size=256 --hash=sha256 --cipher=aes-cbc-essiv --offset=0  ${path} swapfile
+	cryptsetup open --type plain --key-file /dev/urandom --key-size=256 --cipher=aes-cbc-essiv:sha256 --offset=0  ${path} swapfile
 	SWAPDEV=/dev/mapper/swapfile
 else
 	SWAPDEV=$path