Its enabled by default in fedora and ubuntu, would be good to have it on kicksecure.
As suggested here to be used on SSD, without the need to use swap:
Its enabled by default in fedora and ubuntu, would be good to have it on kicksecure.
As suggested here to be used on SSD, without the need to use swap:
There are a couple aspects to this that need to be explored.
For one, there’s zram and zswap. zram is fully ephemeral - no data in RAM ever touches the disk in any form, encrypted or otherwise. This helps reduce disk wear-and-tear, and could be theoretically useful from a security standpoint. However, it does mean that systems with lower RAM can only get so much out of zram - the amount of stuff you can have in RAM increases, but there’s an upper limit that depends on what kind of data you’re working on.
zswap on the other hand is basically zram and a swapfile combined. Data is compressed in RAM first, and then infrequently used data is swapped out to disk. This gives you speed benefits, and it lets you fit more stuff in your RAM than normal while also allowing you to have the “virtually infinite memory” capabilities of a normal swapfile. However, it’s a bit trickier to configure, and it does end up with memory contents written to disk which could be bad from a security standpoint (though I think swap-file-creator is encrypting the swapfile).
I personally prefer zram on my systems, however for VMs with only 2 or 3 GB RAM zswap might be more practical. swap-file-creator might be a good place to configure this?
Thanks for the input, i see only to use zram, no need for anything else, as i dont think any disk swap is needed in nowadays hardware.
Yes.
hibernate requires swap.
Yes.
A different configuration is needed for host versus VMs?
What advantages and disadvantage we’d get wiht zram, zwap,
Unsupported feature (by default).
It’s not so much a question of whether it’s in a VM or on the host, as it is a question of how much RAM there is. zram has the advantages of being totally ephemeral and very fast, but it can only increase available RAM so much. According to zram - Gentoo wiki, zram offers about a 3:1 compression ratio. This doesn’t let you just say “a 4 GB RAM system will act like it has 12 GB”, since you have to account for overhead, but assuming you have 1 GB of uncompressed RAM at any one time and the remainder is compressed, you could expand 4 GB to approximately (3 * 3) + 1 = 10 GB. 3 GB could be expanded to about 7 GB. 2 GB could expand to about 4 GB, which is where you start getting cramped. Moderate-to-light web browsing gets hard at that point.
zswap of course gets around this issue by allowing you to also swap RAM contents out to disk, but that’s much slower and also not totally ephemeral. (Certainly with encryption it’s close to impossible to ever read the RAM contents, but in theory just not saving memory to disk is even more secure.) Also the overhead of encrypting and decrypting swap contents makes things even slower.
Perhaps we could use zswap for systems with <= 2 GB RAM, and zram otherwise?
Supported.
Its enabled by default in fedora and ubuntu,
what another distribution does or not does is by itself not an argument. → Why don’t you do what <other operating system>
does? applies.
Perhaps we could use zswap for systems with <= 2 GB RAM, and zram otherwise?
Before re-inventing here… What are their settings of other distributions?
Before re-inventing here… What are their settings of other distributions?
lzo-rle
, which is fast but doesn’t compress all that well.So really it’s all over the map. Personally, I’ve previously used a zram device equal to the size of my physical memory with lzo-rle compression, but recently have been experimenting with a zram device size of (physical memory size - 1 GB) * 3 with zstd to see how it goes. Personally I think using zstd rather than lzo-rle is a very good idea if we’re going to try using zram devices larger than physical memory, since it should compress better according to zram-config/README.md at main · ecdye/zram-config · GitHub
lzo-rle
is the fastest withzstd
having much better text compression.
hibernate requires swap.
I personally would shy away from supporting hibernation. It’s incompatible with Secure Boot, systems sometimes experience malfunctions when using it with Linux (maybe even oftentimes), and it requires that RAM contents be saved to disk either unencrypted or with a recoverable encryption key, which is a substantial reduction of security since now otherwise volatile data is now persistent.
Until we decide the future of swap in Kicksecure…
Let’s break support for hibernation by default. Then swap-file-creator could also create a smaller swap file by default.
Related:
calculate-swap-size
Usage: calculate-swap-size [RAM in MB] [Hibernation (yes/no)]
Examples:
calculate-swap-size 4096 yes
Calculating swap size…
RAM in MB: 4096
Hibernation considered: yes
RAM in GB (approximated for calculation): 4
RAM > 2GB and <= 8GB with hibernation: Swap size is 2 times the RAM
Calculated Swap Size in MB: 8192
calculate-swap-size 4096 no
Calculating swap size…
RAM in MB: 4096
Hibernation considered: no
RAM in GB (approximated for calculation): 4
RAM > 2GB and <= 8GB without hibernation: Swap size equals RAM
Calculated Swap Size in MB: 4096
A smaller swap file by default is a small progress.
Once decided what to do about zwap / zram, we might even deprecate the current default file based swap.
to have a smaller default swap file by default and because hibernation is not y…
Until now i know about zram
Is zram swap encrypted on encrypted partitions?
Any way to determine if its encrypted
Lsblk lsbels only root partition as crypt
zram is inside RAM. And RAM is unencrypted by default.
RAM Encryption is very difficult to accomplish. Off-topic in this forum thread. See also: