Enable and use zRAM instead for swap

Its enabled by default in fedora and ubuntu, would be good to have it on kicksecure.

As suggested here to be used on SSD, without the need to use swap:

1 Like

There are a couple aspects to this that need to be explored.

For one, there’s zram and zswap. zram is fully ephemeral - no data in RAM ever touches the disk in any form, encrypted or otherwise. This helps reduce disk wear-and-tear, and could be theoretically useful from a security standpoint. However, it does mean that systems with lower RAM can only get so much out of zram - the amount of stuff you can have in RAM increases, but there’s an upper limit that depends on what kind of data you’re working on.

zswap on the other hand is basically zram and a swapfile combined. Data is compressed in RAM first, and then infrequently used data is swapped out to disk. This gives you speed benefits, and it lets you fit more stuff in your RAM than normal while also allowing you to have the “virtually infinite memory” capabilities of a normal swapfile. However, it’s a bit trickier to configure, and it does end up with memory contents written to disk which could be bad from a security standpoint (though I think swap-file-creator is encrypting the swapfile).

I personally prefer zram on my systems, however for VMs with only 2 or 3 GB RAM zswap might be more practical. swap-file-creator might be a good place to configure this?

2 Likes

Thanks for the input, i see only to use zram, no need for anything else, as i dont think any disk swap is needed in nowadays hardware.

  • Suspend to RAM (aka suspend)
  • Suspend to disk (aka hibernate)

Yes.

hibernate requires swap.

Yes.

A different configuration is needed for host versus VMs?

What advantages and disadvantage we’d get wiht zram, zwap,

  • inside VM,
  • on the host operating system?
1 Like

Unsupported feature (by default).

It’s not so much a question of whether it’s in a VM or on the host, as it is a question of how much RAM there is. zram has the advantages of being totally ephemeral and very fast, but it can only increase available RAM so much. According to zram - Gentoo wiki, zram offers about a 3:1 compression ratio. This doesn’t let you just say “a 4 GB RAM system will act like it has 12 GB”, since you have to account for overhead, but assuming you have 1 GB of uncompressed RAM at any one time and the remainder is compressed, you could expand 4 GB to approximately (3 * 3) + 1 = 10 GB. 3 GB could be expanded to about 7 GB. 2 GB could expand to about 4 GB, which is where you start getting cramped. Moderate-to-light web browsing gets hard at that point.

zswap of course gets around this issue by allowing you to also swap RAM contents out to disk, but that’s much slower and also not totally ephemeral. (Certainly with encryption it’s close to impossible to ever read the RAM contents, but in theory just not saving memory to disk is even more secure.) Also the overhead of encrypting and decrypting swap contents makes things even slower.

Perhaps we could use zswap for systems with <= 2 GB RAM, and zram otherwise?

Supported.

what another distribution does or not does is by itself not an argument. → Why don’t you do what <other operating system> does? applies.

Before re-inventing here… What are their settings of other distributions?

  • Kubuntu 24.04
    • Doesn’t use zram or zswap by default at all.
  • Ubuntu Desktop 24.04
    • Apparently also doesn’t use zram or zswap by default at all anymore!
  • Fedora 40
    • zram enabled by default. Places swap on zram, with the zram device set to 50% of RAM size. (Changes/SwapOnZRAM - Fedora Project Wiki) This mentions the device size is capped at 4 GB, however on my 16 GB VM the zram device is 8 GB so maybe they increased that. Algorithm used is lzo-rle, which is fast but doesn’t compress all that well.
  • Debian
    • Not enabled by default, no recommendations for size or algorithm, mentions using zram-tools or systemd-zram-generator for easier management of zram devices.
  • Arch Linux
    • Not enabled by default, documentation suggests creating a device half the size of available memory but mentions that making a device with a size equal to or larger than available memory is acceptable. Suggests using the zstd algorithm, which compresses better, and mentions that real-world use often shows a 3:1 compression ratio.
  • Manjaro
    • Not enabled by default, documentation suggests creating a device twice the size of available memory. Also suggests using the zstd algorithm.
  • Gentoo
    • Not enabled by default, documentation (which is very thorough) mentions a plethora of different sizes and algorithms and makes no effort to recommend any particular size or algorithm that I can tell. Also mentions the 3:1 compression ratio.

So really it’s all over the map. Personally, I’ve previously used a zram device equal to the size of my physical memory with lzo-rle compression, but recently have been experimenting with a zram device size of (physical memory size - 1 GB) * 3 with zstd to see how it goes. Personally I think using zstd rather than lzo-rle is a very good idea if we’re going to try using zram devices larger than physical memory, since it should compress better according to zram-config/README.md at main · ecdye/zram-config · GitHub

lzo-rle is the fastest with zstd having much better text compression.

I personally would shy away from supporting hibernation. It’s incompatible with Secure Boot, systems sometimes experience malfunctions when using it with Linux (maybe even oftentimes), and it requires that RAM contents be saved to disk either unencrypted or with a recoverable encryption key, which is a substantial reduction of security since now otherwise volatile data is now persistent.

1 Like

Until we decide the future of swap in Kicksecure…

Let’s break support for hibernation by default. Then swap-file-creator could also create a smaller swap file by default.

Related:

Usage: calculate-swap-size [RAM in MB] [Hibernation (yes/no)]

Examples:

  • calculate-swap-size 4096 yes
    

Calculating swap size…
RAM in MB: 4096
Hibernation considered: yes
RAM in GB (approximated for calculation): 4
RAM > 2GB and <= 8GB with hibernation: Swap size is 2 times the RAM
Calculated Swap Size in MB: 8192

  • calculate-swap-size 4096 no
    

Calculating swap size…
RAM in MB: 4096
Hibernation considered: no
RAM in GB (approximated for calculation): 4
RAM > 2GB and <= 8GB without hibernation: Swap size equals RAM
Calculated Swap Size in MB: 4096

A smaller swap file by default is a small progress.

Once decided what to do about zwap / zram, we might even deprecate the current default file based swap.

Until now i know about zram

Is zram swap encrypted on encrypted partitions?

Any way to determine if its encrypted
Lsblk lsbels only root partition as crypt

zram is inside RAM. And RAM is unencrypted by default.

RAM Encryption is very difficult to accomplish. Off-topic in this forum thread. See also: