diff --git a/.changelog/24645.txt b/.changelog/24645.txt
new file mode 100644
index 00000000000..62259ce6192
--- /dev/null
+++ b/.changelog/24645.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+client: Add noswap mount option to secrets directory where supported on Linux
+```
diff --git a/client/allocdir/fs_linux.go b/client/allocdir/fs_linux.go
index 7cc0e9d5363..71ea9be2d7d 100644
--- a/client/allocdir/fs_linux.go
+++ b/client/allocdir/fs_linux.go
@@ -73,9 +73,15 @@ func createSecretDir(dir string, size int) error {
 		}
 
 		flags := uintptr(syscall.MS_NOEXEC)
-		options := fmt.Sprintf("size=%dm", size)
-		if err := syscall.Mount("tmpfs", dir, "tmpfs", flags, options); err != nil {
-			return os.NewSyscallError("mount", err)
+		// Permanently disable swap for tmpfs for SecretDir.
+		options := fmt.Sprintf("size=%dm,noswap", size)
+		err := syscall.Mount("tmpfs", dir, "tmpfs", flags, options)
+		if err != nil {
+			// Not all kernels support noswap, remove if unsupported.
+			options = fmt.Sprintf("size=%dm", size)
+			if fallbackErr := syscall.Mount("tmpfs", dir, "tmpfs", flags, options); fallbackErr != nil {
+				return os.NewSyscallError("mount", fallbackErr)
+			}
 		}
 
 		// Create the marker file so we don't try to mount more than once
diff --git a/website/content/docs/concepts/filesystem.mdx b/website/content/docs/concepts/filesystem.mdx
index 74dff6d50a0..74461044f4e 100644
--- a/website/content/docs/concepts/filesystem.mdx
+++ b/website/content/docs/concepts/filesystem.mdx
@@ -353,7 +353,7 @@ $ mount
 ...
 /dev/mapper/root on /alloc type ext4 (rw,relatime,errors=remount-ro,data=ordered)
 tmpfs on /private type tmpfs (rw,noexec,relatime,size=1024k)
-tmpfs on /secrets type tmpfs (rw,noexec,relatime,size=1024k)
+tmpfs on /secrets type tmpfs (rw,noexec,relatime,size=1024k,noswap)
 ...
 ```