···
+
randomEncryptionCoerce = enable: { inherit enable; };
+
randomEncryptionOpts = { ... }: {
+
Encrypt swap device with a random key. This way you won't have a persistent swap device.
+
WARNING: Don't try to hibernate when you have at least one swap partition with
+
this option enabled! We have no way to set the partition into which hibernation image
+
is saved, so if your image ends up on an encrypted one you would lose it!
+
WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device
+
when using randomEncryption as the UUIDs and labels will get erased on every boot when
+
the partition is encrypted. Best to use /dev/disk/by-partuuid/…
+
default = "aes-xts-plain64";
+
example = "serpent-xts-plain64";
+
Use specified cipher for randomEncryption.
+
Hint: Run "cryptsetup benchmark" to see which one is fastest on your machine.
+
default = "/dev/urandom";
+
example = "/dev/random";
+
Define the source of randomness to obtain a random key for encryption.
swapCfg = {config, options, ...}: {
···
+
randomEncryption = mkOption {
+
cipher = "serpent-xts-plain64";
+
source = "/dev/random";
+
type = types.coercedTo types.bool randomEncryptionCoerce (types.submodule randomEncryptionOpts);
Encrypt swap device with a random key. This way you won't have a persistent swap device.
+
HINT: run "cryptsetup benchmark" to test cipher performance on your machine.
WARNING: Don't try to hibernate when you have at least one swap partition with
this option enabled! We have no way to set the partition into which hibernation image
···
WARNING #2: Do not use /dev/disk/by-uuid/… or /dev/disk/by-label/… as your swap device
when using randomEncryption as the UUIDs and labels will get erased on every boot when
the partition is encrypted. Best to use /dev/disk/by-partuuid/…
pyrox.dev