On Sun, Aug 16, 2015 at 03:55:24PM +0200, Lars Wirzenius wrote: > Could we enable encryption of swap by default, even when full disk > encryption is not used? As far as I undrestand, there is no > performance issue for this for most hardware made in the past > half-decade.
This is obviously wrong. The performance cost may be low to the effect that it is negligible on "recent hardware", but it is not zero; even if you run it on custom crypto hardware that wouldn't otherwise be used except for crypto operation, that would make that hardware unavailable (or at the very least, less available) for other crypto operations. > Swap encryption also doesn't require the user to enter a > password: it can be generated on the fly for each boot. This also makes it impossible to use suspend-to-disk, as that uses the swap partition to write the state of the current RAM, which needs to be reread at boot time; if you encrypt the swap partition with a random key, you can't read it at the next boot, so you've removed the ability to use that feature. -- It is easy to love a country that is famous for chocolate and beer -- Barack Obama, speaking in Brussels, Belgium, 2014-03-26
