Cover image banner for encrypting existing swap partition on Linux using LUKS (Linux Unified Key Setup)

Why Encrypt the Swap Partition?

Encrypting the home partition is a good first step toward ensuring data confidentiality. However, a typical system usually stores some information outside /home such as in swap partitions which are not encrypted by default. This poses a security threat as sensitive information can be gleaned from the swap partition, even if the /home partition is encrypted.

A potential remedy is to disable swap, but this solution is not the best as sometimes one would want to use a swap partition to support certain features such as hibernation. In this case, it is imperative to encrypt the swap partition as well. Having an encrypted swap partition ensures that data cannot be leaked from the swap space.

In this article, we’re going to see how to enable encryption on the swap partition, all while having suspend-to-disk support. When the computer is turned on from a previous hibernation, the encrypted swap partition is unlocked, and the system resumes from there.

Step 1: Disable Current Swap

First, it is important to determine whether your system is already using swap space.

swapon -s

If that’s the case, then you should disable it as follows:

sudo swapoff -a

Moreover, any line in the /etc/fstab file which references swap partitions should be removed.

Step 2: Choose a Swap Partition

Next, run this command in the Terminal to list all available partitions:

sudo fdisk --list | grep -E "/dev/sd|/dev/nvme"
List all partitions on Linux

Choose the partition that you would like to use as swap and note the partition name (not the disk name!) found in the first column of the output and having the following format: /dev/xxxx.

If you do not have any free partition to use for the swap, you can shrink any partition of your choice to make space for a new partition using a utility such as gparted.

When allocating space for a swap partition, make sure the partition size is at least the square root of the total RAM size, rounded up to the nearest GB.

For example, if you have 8 GB RAM, sqrt(8) = 2.8284. This means the swap partition should be at least 3 GB, assuming you won’t be hibernating the system. For hibernation, you should factor in a couple more Gigabytes.

Step 3: Encrypt the Swap Partition Using LUKS

We will now encrypt the partition which will be used as swap. If you don’t have cryptsetup installed already, you can install it using your package manager.

  1. To make our task easier, let’s create a shell variable to denote the swap partition.
export PART_SWAP="/dev/xxxx"


Make sure to replace /dev/xxxx with the correct partition name from Step 2!
  1. Then, unmount the new partition that will be encrypted. If you get any error, simply ignore it.
sudo umount $PART_SWAP
  1. Encrypt the partition by formatting it as a LUKS device:
sudo cryptsetup -v luksFormat --type luks2 --cipher aes-xts-plain64 --key-size 512 --hash sha512 $PART_SWAP

You will be asked to enter a passphrase to encrypt the partition. Enter a strong password (at least 12 characters) containing a mix of lowercase and uppercase letters, numbers, and symbols.

Encrypt LUKS partition
  1. Unmount the encrypted partition. If you get any error, simply ignore it.
sudo umount $PART_SWAP

Step 4: Create Swap Filesystem on the Encrypted Partition

Open the new encrypted LUKS partition with mapping name cryptswap.

sudo cryptsetup -v luksOpen $PART_SWAP cryptswap
Unlock (Open) LUKS partition

Then, create a swap filesystem inside the encrypted partition.

sudo mkswap /dev/mapper/cryptswap
Create swap partition in Linux

Step 5: Activate the Encrypted Swap Partition

It is a good idea to check if the swap partition was properly encrypted first:

cryptsetup status cryptswap
LUKS verify encrypted device

We can now activate the swap partition if the previous command gave a healthy output.

sudo swapon /dev/mapper/cryptswap

Step 6: Update System Configurations

At this point, the system should be using an encrypted swap partition. However, we need to change some configurations for three reasons:

  1. To unlock encrypted partitions at boot time.
  2. To instruct the kernel which partition to resume from, in case the system was hibernated during the previous shutdown.
  3. To persist using the encrypted swap partition between reboots.

Step 6.1: Unlock Encrypted Partitions at Boot Time

Let’s create another shell variable to denote the luksUUID of the encrypted swap partition.

export UUID_SWAP=$(sudo cryptsetup luksUUID $PART_SWAP)


Make sure that the value of the UUID_SWAP shell variable has been set correctly.

Get LUKS UUID of the encrypted partition

Step 6.1.1: For Manjaro, Arch Linux, and Derivatives


These instructions apply to Manjaro, Arch Linux, and derivatives only. See below (Step 6.1.2) for Ubuntu and Debian derivatives.

We should configure mkinitcpio hooks so that the OS can access encrypted partitions before the login screen appears.

sudo gedit /etc/mkinitcpio.conf

Comment the line starting with HOOKS= and use the one provided below instead:

HOOKS="base systemd autodetect modconf kms keyboard sd-vconsole plymouth block sd-encrypt filesystems fsck"


It is important for the block and sd-encrypt hooks to be in that order, and before the filesystems hook.

Then, rebuild all initramfs as follows:

sudo mkinitcpio -P

Step 6.1.2: For Ubuntu, Debian, and Derivatives


These instructions apply to Ubuntu, Debian, and derivatives only. See above (Step 6.1.1) for Manjaro and Arch Linux derivatives.

Add entry in /etc/crypttab

echo "cryptswap     UUID=$UUID_SWAP     none    luks" | sudo tee -a /etc/crypttab

Step 6.2: Resuming From Hibernation Using the Swap Partition

Step 6.2.1: For Manjaro, Arch Linux, and Derivatives


These instructions apply to Manjaro and Arch Linux derivatives only. See below (Step 6.2.2) for Ubuntu, Debian, and derivatives.

It is possible to instruct the kernel which encrypted partition to unlock and resume from through the and resume directives respectively.

These should be added on the line starting with GRUB_CMDLINE_LINUX_DEFAULT (within the double quotes) in the /etc/default/grub file.

It is possible to achieve this automatically by issuing this sed command:

sudo sed -i "s/^GRUB_CMDLINE_LINUX_DEFAULT=\"/GRUB_CMDLINE_LINUX_DEFAULT=\"${UUID_SWAP}=cryptswap resume=\/dev\/mapper\/cryptswap /" /etc/default/grub

Because we had a shell variable $UUID_SWAP earlier, it will be expanded automatically, and this is what sed added in my case: resume=/dev/mapper/cryptswap

For example, on my setup the complete modified line in the /etc/default/grub file looks like this:

GRUB_CMDLINE_LINUX_DEFAULT=" resume=/dev/mapper/cryptswap quiet splash apparmor=1 security=apparmor udev.log_priority=3"

Then, run these commands for GRUB to use the updated configuration:

sudo update-grub
sudo grub-mkconfig

Step 6.2.2: For Ubuntu, Debian, and Derivatives


These instructions apply to Ubuntu, Debian, and derivatives only. See above (Step 6.2.1) for Manjaro and Arch Linux derivatives.

Edit the /etc/initramfs-tools/conf.d/resume file. Replace the existing RESUME line with the following line:


If the file does not exist, create it with only that line.


Whenever new kernels are installed, this step must be repeated.

Rebuild all initramfs:

sudo update-initramfs -u -k all

Step 6.3: Persist the Encrypted Swap Partition Between Reboots

Add entry in /etc/fstab by running this command:

echo "/dev/mapper/cryptswap	    none	swap	defaults 0 0" | sudo tee -a /etc/fstab


It is important to do a complete shutdown instead of restarting the machine for the first time only. This is to ensure that the configuration changes have been properly applied.


Afterwards, you can hibernate the system through the GUI or by running this command in the Terminal:

systemctl hibernate

You can still also do a normal shutdown if you don’t want to hibernate every time.


From now on, you should see a prompt to enter a passphrase for unlocking the swap partition whenever the computer is turned on. If you have other encrypted partitions (e.g /home) with the same password, you will be asked to enter the password only once per boot.

Congrats for adding “resume from hibernation” feature on an encrypted swap partition, and more importantly, for making your Linux installation more secure!

# Footnotes