update: file "dmcrypt" "3.0.0" > "4.0.0"

aa-00-00/dmcrypt

@@ -1,22 +1,28 @@
-# Inferencium - aa000-0
+# Inferencium - aa-00-00
 # dm-crypt - Configuration
-# Version: 3.0.0
+# Version: 4.0.0
 
 # Copyright 2023 Jake Winters
 # SPDX-License-Identifier: BSD-3-Clause
 
 
 # Global
-## How long to wait for each timeout (in seconds)
+## How long to wait for each timeout (seconds)
 dmcrypt_key_timeout="1"
 ## Max number of checks to perform (see dmcrypt_key_timeout)
 #dmcrypt_max_timeout="300"
-# Number of password retries
+## Number of password retries
 dmcrypt_retries="5"
 
-
-# swap
-## These should come first so no keys make their way into unencrypted swap.
+# Swap (list first to prevent key leakage into unencrypted swap)
+## In the case of a swap partition, create the filesystem, beforehand, and add an offset to the cryptsetup swap options
+## below so the PARTUUID is not overwritten by cryptsetup and can be used as the source device.
+## If using AES-XTS as the cipher, a key size of double the target security level should be used as XTS mode splits the
+## key size, making a key size of 512 bits effectively 256 bits (AES-256), and a key size of 256 bits effectively 128
+## bits (AES-128).
+## For ephemeral swap which has a randomly-generated, per-boot key, set the key file as /dev/urandom; all data will be
+## irreversibly lost on system shutdown or reboot. Note that using ephemeral swap prevents hibernation to the target
+## swap partition.
 swap="swap"
 source="PARTUUID=[REDACTED]"
 options="--offset 2048 --cipher aes-xts-plain64 --key-size 512 --key-file /dev/urandom"