a combination; some have swap as a btrfs subvolume, some as a swapfile in root and those are encrypted, when the system boots it requests the encryption passphrase, regardless if it coldboots or restores. restores from swap are way faster than coldboot plus all your stuff is how you left it.
on some systems I have a separate swap partition outside of luks2/btrfs and that one's unencrypted. when it restores from there, it doesn't request the passphrase and the boot is even faster. that's obviously less secure but my threat model is a lost/stolen laptop, I seriously doubt someone's gonna forensic the shit out of my swap, it's more likeky it's gonna get wiped and sold.
to fully utilise this tech, it's essential to set up suspend-then-hibernate, another awesome feature that's way too cumbersome to set up. the laptop suspends for like 60 minutes and if it's not woken up, it hibernates to disk.
a combination; some have swap as a btrfs subvolume, some as a swapfile in root and those are encrypted, when the system boots it requests the encryption passphrase, regardless if it coldboots or restores. restores from swap are way faster than coldboot plus all your stuff is how you left it.
on some systems I have a separate swap partition outside of luks2/btrfs and that one's unencrypted. when it restores from there, it doesn't request the passphrase and the boot is even faster. that's obviously less secure but my threat model is a lost/stolen laptop, I seriously doubt someone's gonna forensic the shit out of my swap, it's more likeky it's gonna get wiped and sold.
to fully utilise this tech, it's essential to set up suspend-then-hibernate, another awesome feature that's way too cumbersome to set up. the laptop suspends for like 60 minutes and if it's not woken up, it hibernates to disk.