How to Disable ESXi Swap Files for Security-Sensitive VMs Handling Decrypted Data in Memory


1 views

When running security-sensitive workloads like encrypted databases or cryptographic operations in Solaris/Linux VMs, ESXi's default swap behavior creates potential exposure. The hypervisor automatically creates .vswp files equal to a VM's configured memory minus any reservation (default location: /vmfs/volumes/datastore/vmname/vmname-#######.vswp). These files persist across crashes, creating security concerns when:

  • Processing decrypted data in VM memory
  • Handling cryptographic keys
  • Meeting regulatory requirements for data-at-rest encryption

A common misconception is that setting 100% memory reservation eliminates swap files. While mem.reservation=100% via vSphere API or:

vim-cmd vmsvc/getallvms | grep [vmname]
vim-cmd vmsvc/guest.getmemreservation [vmid]

does prevent memory ballooning, ESXi still creates zero-byte placeholder files. This satisfies its memory overcommit architecture but leaves swap infrastructure active.

Host-Wide Swap Disable (ESXi 6.7+)

For environments where no VMs require swapping:

esxcli system settings advanced set -o /Mem/SwapPersist -i 0
esxcli system settings advanced set -o /Mem/UsePseudoSwap -i 0

This prevents both physical swap files and pseudo-swap (compressed cache). Verify with:

esxcli system settings advanced list -o /Mem/SwapPersist
esxcli system settings advanced list -o /Mem/UsePseudoSwap

Per-VM Swap Control

For mixed environments, modify VMX configurations:

sched.swap.derivedName = ""
sched.swap.dir = ""
swap.derivedName = ""
priority.mem.overcommit = FALSE

Add these via PowerCLI:

Get-VM "SecureVM" | New-AdvancedSetting -Name "sched.swap.derivedName" -Value "" -Confirm:$false
Get-VM "SecureVM" | New-AdvancedSetting -Name "sched.swap.dir" -Value "" -Confirm:$false

After implementation:

  1. Check active swap with esxtop (press 'm' for memory view)
  2. Monitor datastore for .vswp file creation
  3. Verify VM memory statistics in vCenter/ESXTOP show zero swap usage

Disabling swap requires:

  • Guaranteed physical RAM for all VMs (no overcommit)
  • Proper NUMA alignment for memory-bound workloads
  • Active monitoring for memory pressure

For PCI-DSS or HIPAA environments, the security tradeoff typically justifies the resource allocation requirement.

When running security-sensitive workloads like encrypted Solaris/Linux VMs on ESXi, swap files (.vswp) pose a significant risk. These files may:

  • Cache decrypted data from memory during normal operations
  • Persist indefinitely after host crashes
  • Bypass memory encryption protections

Many administrators attempt to solve this by configuring 100% memory reservation:

# Example of memory reservation in VMX configuration
memreservation = "16384"  # 16GB reservation

However, ESXi still creates swap files in these scenarios:

  1. During VM power-on operations
  2. For memory overhead calculations
  3. When using certain advanced features like Fault Tolerance

Host-Level Configuration

To disable swap files globally on an ESXi host:

# SSH into ESXi host and run:
esxcli system settings advanced set -o /Mem/SwapPolicy -i 0

This sets the swap policy to "none". Available policies are:

Value Policy Effect
0 none No swap files created
1 virtual Default behavior
2 conditional Only under memory pressure

Per-VM Configuration

For granular control on specific VMs:

# Add these lines to the VM's .vmx file:
sched.mem.pshare.enable = "FALSE"
prefvmx.minVmMemPct = "100"
mainmem.useNamedFile = "FALSE"

Key parameters explained:

  • mainmem.useNamedFile: Disables swap file creation
  • prefvmx.minVmMemPct: Ensures full memory allocation
  • sched.mem.pshare.enable: Disables memory sharing

After implementation, verify swap file behavior:

# Check active swap policy
esxcli system settings advanced list -o /Mem/SwapPolicy

# Monitor VM memory usage
esxtop -b -n 1 | grep -i mem

When complete disablement isn't possible:

  1. Configure encrypted swap using VM Encryption (requires vCenter)
  2. Set up cron jobs to periodically wipe swap files
  3. Use VMFS encryption for the datastore containing swap files

Disabling swap files affects:

  • VM power-on operations (may require contiguous memory)
  • Memory overcommitment capabilities
  • Host recovery from memory pressure situations

Always test in non-production environments first.