Encrypted swap partition that enables upon boot with dm-crypt Corne lukken

quick steps
How to create an encrypted swap partition that enables upon boot? With dm-crypt and some small configuration changes; notably in /etc/fstab and /etc/crypttab, it turned out to be quite easy. The only downside to this method is the inability to resume from hibernation. With that in mind the first step is to have a suitable partition, this can be done using any standard tool but the most commonly used one is gparted. If inexperienced with partitioning tools this guide is best avoided, the reader is fully expected to be able to set up an empty partition of the desired size on his own. With the partition ready execute the following commands and be sure to replace `PARTITION` with your own desired partition. Be sure to remember the password you set for the new dm-crypt partition.

cryptsetup -y -v luksFormat /dev/PARTITION
cryptsetup luksOpen /dev/PARTITION cryptswap
dd if=/dev/zero of=/dev/mapper/cryptswap
mkswap /dev/mapper/cryptswap

Setup crypttab

In order for the system to mount the swap partition at boot it needs to be unlocked by configuring /etc/crypttab. The block device id is needed to uniquely identify the partition in crypttab, for this execute lsblk -f. From the output copy the UUID for the partition which is of FSTYPE crypto_LUKS.

At this point the decision can be made to setup a new password for the swap partition upon every reboot, however, this will make it impossible to resume from hibernation. As an alternative a text file can be stored on a secure place in the filesystem which contains the dm-crypt partition password. The text file should be owned by root with group root and permissions 700.

Random password for every boot

Edit /etc/crypttab and add a similar line, be sure to replace the UUID
cryptswap UUID=12345678-1234-1234-1234-123456789abc /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
Save the changes to crypttab and proceed to edit fstab in /etc/fstab. Edit fstab by appending the line:
/dev/mapper/cryptswap none swap defaults 0 0

Same password for every boot

Create a small file containing the password in plain text, preferably in /root/cryptpasswd, the code below can be executed as root to setup the required configuration. PASSWORD and THEUUID variables ofcourse need to be changed.
PASSWORD="your-password-here" THEUUID="your-uuid-here" echo "$PASSWORD" | tee /root/cryptpasswd chown root /root/cryptpasswd chgrp root /root/cryptpasswd chmod o-rwx /root/cryptpasswd echo "cryptswap UUID=$THEUUID /root/cryptpasswd" >> /etc/crypttab PASSWORD="" THEUUID=""

Quick steps

Execute the following and adjust variables where necessary
PARTITION="sda" PASSWORD="your-password-here" THEUUID="your-uuid-here" cryptsetup -y -v luksFormat /dev/$PARTITION cryptsetup luksOpen /dev/$PARTITION cryptswap dd if=/dev/zero of=/dev/mapper/cryptswap mkswap /dev/mapper/cryptswap echo "$PASSWORD" | tee /root/cryptpasswd chown root /root/cryptpasswd chgrp root /root/cryptpasswd chmod o-rwx /root/cryptpasswd echo "cryptswap UUID=$THEUUID /root/cryptpasswd" >> /etc/crypttab echo "/dev/mapper/cryptswap none swap defaults 0 0" >> /etc/fstab PASSWORD="" THEUUID=""