Why encrypt the swap partition

Encryption of swap space is used to protect sensitive information. Consider an application that deals with passwords. As long as these passwords stay in physical memory, these passwords will not be written to disk and be cleared after a reboot. If the OS starts swapping out memory pages to free space for other applications, the passwords may be written to the disk platters unencrypted. Encrypting swap space can be a solution for this scenario.

Swap partitions are not encrypted by default and should be cleared of any sensitive data before continuing.

The swap partition can hold a lot of unencrypted confidential information and the fact that it persists after shutting down the computer can be a problem.

To encrypt SWAP, see Encrypted swap partition on Ubuntu

Extra Reading:Swap encryption, and Ubuntu - How to encrypt swap partition

Source:C. Brüffer


I assume you're talking about a home directory or full disk encryption installation.

Swap is allocated space on persistent storage (because it's cheaper), providing more virtual memory to the operating system. All your applications run in the virtual memory holding all unencrypted data for the operations. Chances are fairly high that portions of the data you've got on encrypted on disk are ending unencrypted on the swap storage. Also temporary in-memory stuff like encryption keys could be moved from the physical memory to swap for some time (if the kernel decides so). With a plain encryption key an attacker is for certain able to decrypt your whole hard drive.

Moreover, swap doesn't get wiped after you turn your PC off, unlike physical memory.

Also note that if you hibernate your system, all of the physical memory will be written to swap. This provides an even larger amount of data for a possible attacker.

Summarized, in the context of encryption of data on your machine, it is a very bad thing not to encrypt swap if you handle encrypted files, from a security standpoint. It can even breach the complete security you're trying to achieve.


This here is why long ago I got convinced to really encrypt also my swap partition.

Try the following commands:
First find out your swap device, then find out if your user password (or any string critical for you) is stored somewhere on the swap memory:

  $ sudo swapon --summary  
  Filename                                Type        ...  
  /dev/mapper/vg_ubu476-lv_swap           partition   ...  

   $ sudo time strings < /dev/mapper/vg_ubu476-lv_swap | grep <any substring of your password>

If the password is not found, then the command ends with no output. That took 40 seconds for me, with my 4 GiB of swap.
Try that with " | more" instead of " | grep <...>"; that will show if you had wiped your disk from the very beginning, before encrypting, with random ASCII or not.

Beware of a problem: after those commands your "substring of your password" will stay written in your bash history, and you may feel the need to erase it. With "substring of password" you have at least not got the complete password there... And: only root can look inside it.

My strings command has looked into the decrypted layer of the system, which lives only while running the OS.

Stepping beneath that there are the LVM, then the decrypted LUKS container, and finally the encrypted device (a large partition). You may try and scan them all with "strings".

When I did that "strings" the first time I found lots of root passwords, as I was using "su - root" in the place of "sudo su -". Now, with sudo I do not find any.

Performance - Belive me: I am working with 1,3 terabytes of encrypted stuff (system + large photo database) on three SSDs on a Thinkpad W520 whithout feeling any delays. But at least 8 GiB memory may somewhat help.