The swap partition can hold a lot of unencrypted confidential information and the fact that it persists after shutting down the computer can be a problem.

Encrypting a swap partition however is slightly tricky if one wants to also support suspend-to-disk (also called hibernation). Here's a procedure that worked for me on both Debian Stretch and Ubuntu 18.04 (Bionic Beaver):

  1. Install the cryptsetup package:

    apt install cryptsetup
  2. Add this line to /etc/crypttab:

    sda2_crypt /dev/sda2 /dev/urandom cipher=aes-xts-plain64,size=256,swap,discard
  3. Set the swap partition to be this in /etc/fstab:

    /dev/mapper/sda2_crypt none swap sw 0 0

You will of course want to replace /dev/sda2 with the partition that currently holds your unencrypted swap.

This is loosely based on a similar procedure for Ubuntu 6.10, but I don't use suspend-to-disk and so I simplified the setup and use a random encryption key instead of a passphrase.