Even with full-disk encryption you have two options that I'd recommend over a swap file:
- lvm on luks: inside the luks dm-crypt container, create multiple logical volumes: one for swap, one for the root filesystem
- swap on dm-crypt: create a separate encrypted partition for swap
Since the swap data needs no permanence, it's possible to generate a new encryption key every boot. Debian's crypttab supports this out of the box [0]:
(although I'd recommend using a /dev/disk/by-id/ path there, for obvious reasons. The scripts do check there's no valid signature on the partition before formatting, but still...)
- lvm on luks: inside the luks dm-crypt container, create multiple logical volumes: one for swap, one for the root filesystem
- swap on dm-crypt: create a separate encrypted partition for swap
Since the swap data needs no permanence, it's possible to generate a new encryption key every boot. Debian's crypttab supports this out of the box [0]:
(although I'd recommend using a /dev/disk/by-id/ path there, for obvious reasons. The scripts do check there's no valid signature on the partition before formatting, but still...)[0] https://manpages.debian.org/buster/cryptsetup-run/crypttab.5...