feat(dmcrypt): improve comment-based documentation

aa-00-00/dmcrypt

@@ -7,16 +7,22 @@
 
 
 # Global
-## How long to wait for each timeout (in seconds)
+## How long to wait for each timeout (seconds)
 dmcrypt_key_timeout="1"
 ## Max number of checks to perform (see dmcrypt_key_timeout)
 #dmcrypt_max_timeout="300"
-# Number of password retries
+## Number of password retries
 dmcrypt_retries="5"
 
-
+# Swap (list first to prevent key leakage into unencrypted swap)
-# swap
+## In the case of a swap partition, create the filesystem, beforehand, and add an offset to the cryptsetup swap options
-## These should come first so no keys make their way into unencrypted swap.
+## below so the PARTUUID is not overwritten by cryptsetup and can be used as the source device.
+## If using AES-XTS as the cipher, a key size of double the target security level should be used as XTS mode splits the
+## key size, making a key size of 512 bits effectively 256 bits (AES-256), and a key size of 256 bits effectively 128
+## bits (AES-128).
+## For ephemeral swap which has a randomly-generated, per-boot key, set the key file as /dev/urandom; all data will be
+## irreversibly lost on system shutdown or reboot. Note that using ephemeral swap prevents hibernation to the target
+## swap partition.
 swap="swap"
 source="PARTUUID=[REDACTED]"
 options="--offset 2048 --cipher aes-xts-plain64 --key-size 512 --key-file /dev/urandom"