kern/47136: encrypting swap is too hard

[Taylor R Campbell <campbell+netbsd%mumble.net@localhost>]

>Number:         47136
>Category:       kern
>Synopsis:       encrypting swap is too hard
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Oct 28 19:05:00 +0000 2012
>Originator:     Taylor R Campbell <campbell+netbsd%mumble.net@localhost>
>Release:        NetBSD 6.99.12
>Organization:
>Environment:
Architecture: any
Machine: any
>Description:

        Swap encryption involves no key management or permanent data
        storage for the operator to worry about, so it should be
        super-easy to turn on with the flick of a switch, but it's
        not.  I would like to just do

                sysctl -w vm.encrypt_swap=1

        or put that into /etc/sysctl.conf, but instead I have to
        configure a cgd (which uses up a cgd number and therefore
        figures the system's administration in various ways such as
        /etc/fstab and /etc/cgd/cgd.conf), set up something in
        /etc/rc.local or /etc/rc.conf.d to automatically disklabel it
        at the right time, and then tell the system to swap onto it.

>How-To-Repeat:

        1. Try to enable swap encryption.
        2. Realize that there are a bunch of moving parts to mess with.
        3. Give up in frustration.
        4. Look for another PR on the subject.
        5. Wonder why there wasn't one submitted ten years ago.
        6. Write recursive PR.
        7. ???
        8. Profit?

>Fix:

        Yes, please!