With ramfs there is no dynamic size limit. The ramfs size is severely cut off from RAM at the ramfs starts. So ramfs is not optimal memory costs. With πππππ an empty filesystem size doesnβt take RAM space.
And that is true, tmpfs can be swapped to disk. Therefore the swap desirable to be disabled. If you leave the swap enabled, some πππππ (root fs) data may be saved on swap. This data may contain a names of your AppVMs and other ππππππππππππ πππππππππππ.
The simplest solution:
sudo swapoff -a
No swap, no problem.
_
Or if swap is necessary for a some reason, you need a separate physical SSD storage for swap.
- We can encrypt the standard QubesOS swap [LVM Logical] volume
/dev/qubes_dom0/swap, but that will be a double encryption, because the/dev/qubes_dom0/swapis already encrypted with the underlying [LVM Physical]qubes_dom0volume. Thatβs why we donβt do that.
Instead, weβll encrypt the swap SSD with detached header, so no one knows itβs a ππ ππ πππ³ (moreover, it is an encrypted drive at all, just an unformatted disk with ππππππ ππππ). The swap header file can be removed immediately, as well as the swap drive data is temporary and are not valuable.
1. Prepate a swap drive, letβs say πππ:
DRIVE=/dev/sdX
2. Fill the πππ with uniform layer of random data:
dd if=/dev/urandom of=$DRIVE bs=4096 status=progress
3. Encrypt drive with detached header:
Generage keyfile (instead of a password):
cd /dev/shm
sudo dd bs=512 count=4 if=/dev/urandom of=swapkey.luks iflag=fullblock
sudo chmod 600 swapkey.luks
Format and Open the drive:
yes | sudo cryptsetup luksFormat $DRIVE --key-file swapkey.luks --header swap-header.luks
sudo cryptsetup luksOpen --header swap-header.luks --key-file swapkey.luks $DRIVE swap
4. Create and mount a new swap:
sudo mkswap /dev/mapper/swap
sudo swapon /dev/mapper/swap
The swap-header.luks is the drive header file.
More detailed, look here:
https://wiki.archlinux.org/title/Dm-crypt/Device_encryption