o Add a section on swap encryption

o Remove the swap encryption stuff from the disk encryption section

Reviewed by:	Ken Tom, remko

en_US.ISO8859-1/books/handbook/disks/chapter.sgml

@@ -4093,17 +4093,6 @@ Filesystem     Size   Used  Avail Capacity  Mounted on
       <para>More information about the use of &man.geli.8; can be
         found in the manual page.</para>
 
-      <sect3>
-	<title>Encrypting a Swap Partition</title>
-
-	<para>The following example demonstrates how to create a
-	  <command>geli</command> encrypted swap partition.</para>
-
-	<screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/ad0s1b bs=1m</userinput>
-&prompt.root; <userinput>geli onetime -d -a 3des ad0s1b</userinput>
-&prompt.root; <userinput>swapon /dev/ad0s1b.eli</userinput></screen>
-      </sect3>
-
       <sect3>
 	<title>Using the <filename>geli</filename> <filename>rc.d</filename> Script</title>
 
@@ -4130,6 +4119,137 @@ geli_da2_flags="-p -k /root/da2.key"</screen>
       </sect3>
     </sect2>	
   </sect1>
+
+
+  <sect1 id="swap-encrypting">
+    <sect1info>
+      <authorgroup>
+	<author>
+	  <firstname>Christian</firstname>
+	  <surname>Br&uuml;ffer</surname>
+	  <contrib>Contributed by </contrib>
+	</author>
+      </authorgroup>
+    </sect1info>
+
+    <title>Encrypting Swap Space</title>
+    <indexterm>
+      <primary>swap</primary>
+      <secondary>encrypting</secondary>
+    </indexterm>
+
+    <para>Swap encryption in &os; is easy to configure and has been
+      available since &os; 5.3-RELEASE.  Depending on which version
+      of &os; is being used, different options are available
+      and configuration can vary slightly.  From &os; 6.0-RELEASE onwards,
+      the &man.gbde.8; or &man.geli.8; encryption systems can be used
+      for swap encryption.  With earlier versions, only &man.gbde.8; is
+      available.  Both systems use the <filename>encswap</filename>
+      <link linkend="configtuning-rcd">rc.d</link> script.</para>
+
+    <para>The previous section, <link linkend="disks-encrypting">Encrypting
+      Disk Partitions</link>, includes a short discussion on the different
+      encryption systems.</para>
+
+    <sect2>
+      <title>Why should Swap be Encrypted?</title>
+
+      <para>Like the encryption of disk partitions, encryption of swap space
+	is done to protect sensitive information.  Imagine an application
+	that e.g. deals with passwords.  As long as these passwords stay in
+	physical memory, all is well.  However, if the operating system starts
+	swapping out memory pages to free space for other applications, the
+	passwords may be written to the disk platters unencrypted and easy to
+	retrieve for an adversary.  Encrypting swap space can be a solution for
+	this scenario.</para>
+    </sect2>
+
+    <sect2>
+      <title>Preparation</title>
+
+      <note>
+	<para>For the remainder of this section, <devicename>ad0s1b</devicename>
+	  will be the swap partition.</para>
+      </note>
+
+      <para>Up to this point the swap has been unencrypted.  It is possible that
+	there are already passwords or other sensitive data on the disk platters
+	in cleartext.  To rectify this, the data on the swap partition should be
+	overwritten with random garbage:</para>
+
+      <screen>&prompt.root; <userinput>dd if=/dev/random of=/dev/ad0s1b bs=1m</userinput></screen>
+    </sect2>
+
+    <sect2>
+      <title>Swap Encryption with &man.gbde.8;</title>
+
+      <para>If &os; 6.0-RELEASE or newer is being used, the
+	<literal>.bde</literal> suffix should be added to the device in the
+	respective <filename>/etc/fstab</filename> swap line:</para>
+
+      <screen>
+# Device                Mountpoint      FStype  Options         Dump    Pass#
+/dev/ad0s1b.bde         none            swap    sw              0       0
+      </screen>
+
+      <para>For systems prior to &os; 6.0-RELEASE, the following line
+	in <filename>/etc/rc.conf</filename> is also needed:
+
+      <programlisting>gbde_swap_enable="YES"</programlisting>
+    </sect2>
+
+    <sect2>
+      <title>Swap Encryption with &man.geli.8;</title>
+
+      <para>Alternatively, the procedure for using &man.geli.8; for swap
+	encryption is similar to that of using &man.gbde.8;.  The
+	<literal>.eli</literal> suffix should be added to the device in the
+	respective <filename>/etc/fstab</filename> swap line:</para>
+
+      <screen>
+# Device                Mountpoint      FStype  Options         Dump    Pass#
+/dev/ad0s1b.eli         none            swap    sw              0       0
+      </screen>
+
+      <para>&man.geli.8; uses the <acronym>AES</acronym> algorithm with
+	a key length of 256 bit by default.</para>
+
+      <para>Optionally, these defaults can be altered using the
+	<literal>geli_swap_flags</literal> option in
+	<filename>/etc/rc.conf</filename>.  The following line tells the
+	<filename>encswap</filename> rc.d script to create &man.geli.8; swap
+	partitions using the Blowfish algorithm with a key length of 128 bit,
+	a sectorsize of 4096 kilobyte and the <quote>detach on last close</quote>
+	option set:</para>
+
+      <programlisting>geli_swap_flags="-a blowfish -l 128 -s 4096 -d"</programlisting>
+
+      <para>Please refer to the description of the <command>onetime</command> command
+	in the &man.geli.8; manual page for a list of possible options.</para>
+    </sect2>
+
+    <sect2>
+      <title>Verifying that it Works</title>
+
+      <para>Once the system has been rebooted, proper operation of the
+	encrypted swap can be verified using the
+	<command>swapinfo</command> command.</para>
+
+      <para>If &man.gbde.8; is being used:</para>
+
+      <screen>&prompt.user; <userinput>swapinfo</userinput>
+Device          1K-blocks     Used    Avail Capacity
+/dev/ad0s1b.bde    542720        0   542720     0%
+      </screen>
+
+      <para>If &man.geli.8; is being used:</para>
+
+      <screen>&prompt.user; <userinput>swapinfo</userinput>
+Device          1K-blocks     Used    Avail Capacity
+/dev/ad0s1b.eli    542720        0   542720     0%
+      </screen>
+    </sect2>
+  </sect1>
 </chapter>
 
 <!--