It is sensible that if you have any sort of block device encryption implemented on your GNU/Linux system, to encrypt your swap partition too, as any decrypted data may be written in cleartext at any time to the swap.
Looking at the debian man page for "crypttab" I see an example of creating a randomly keyed swap partition on boot-up, so the key is set randomly as the boot proceeds and known only to the system itself:
# Encrypted swap device
cswap /dev/sda6 /dev/urandom cipher=aes-cbc-essiv:sha256,hash=ripemd160,size=256,swap
In this example the swap device is referred to by a conventional dev path i.e. /dev/sda6
Absolute device paths are subject to change and be re-assigned at boot-up if, say a usb drive is plugged in, for example. A user would be very unhappy if /dev/sda6 happened to be a different partition than expected and it was subsequently overwritten with random swap data!!
So the solution would seem to be: use a UUID instead of a device path (as a UUID shouldn't change), replacing /dev/sda6 with /dev/disk/by-uuid/<whatever the uuid of dev/sda6 is>
BUT ... here's the problem: Every time cryptsetup recreates the encrypted swap partition at boot time it generates a new UUID for it! Doh!
So we need to preserve the UUID of this encrypted filesystem somehow. I think cryptsetup can do this with its --offset switch, allowing for preservation of the LUKS header and thus the UUID.
I have found this URL: https://wiki.archlinux.org/index.php/System_Encryption_with_LUKS#Using_UUIDs_with_encrypted_swap_partitions
Does anyone know how to implement the solution described for Arch Linux on the Debian OS? The init scripts referred to in the document seem not to exist on the Debian OS
Thanks!
EDIT
One could use ecryptfs to achieve the same ends (encrypted swap space) using the command:
ecryptfs-setup-swap
Without the problems that beset block device encryption.
Have a look at this AskUbuntu query