Ubuntu – Is ecryptfs-setup-swap persistent


I have what I think is a quick question: Is running ecryptfs-setup-swap on a system that didn't have home-directory or swap encryption enabled when it was installed persistent? The man page at http://manpages.ubuntu.com/manpages/precise/man1/ecryptfs-setup-swap.1.html states that ecryptfs-setup-swap "will detect existing swap partitions or swap files, and encrypt them, using cryptsetup." I don't understand whether ecryptfs-setup-swap needs to be run every time the system is booted, or if it just needs to be run once to make a permanent change to how swap space is handled by the system. If the change is permanent, is it permanent for all users on the system, or just the one that runs ecryptfs-setup-swap (I may be confused about how swap space works in general, I realize)?

To be clear, I do understand that I also need to run ecryptfs-migrate-home on the system to encrypt the home directory for my user account, and that that change will be persistent. I'm just confused about how swap space is handled.

I would appreciate any information to help me understand better! Thank you!

P.S. A tutorial at http://bodhizazen.com/Tutorials/Ecryptfs states that after using ecryptfs-setup-swap, "a new entry for your encrypted swap is automatically generated in /etc/fstab , but unfortunately as of this writing ,the old entry is not removed and you must remove it manually (or suffer error messages when you boot)." Is that still true?

Full disclosure: I have also posted this question at https://superuser.com/questions/576097/is-ecryptfs-setup-swap-persistent. Once the question is answered either here or there, I will take down the unanswered instance.

Best Answer

Running ecryptfs-setup-swap makes permanent changes to /etc/fstab and /etc/crypttab that ensure your swap space is encrypted at every boot.

A random key is generated and used to encrypt swap at each boot.

The only exception to the above occurs if you add new swap files or swap partitions after you've run ecryptfs-setup-swap, as it only operates on the swap space present at that time.

Full disclosure: I'm the author and maintainer of eCryptfs and ecryptfs-setup-swap.