Hello,
I am doing new encrypted installation and have an issue with encrypted swap partition which i want to use for hibernation.I have decided to use UEFI mode with cryptsetup + BTRFS for filesystem.
lsblk>
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 232.9G 0 disk
├─sda1 8:1 0 1G 0 part /boot/efi
├─sda2 8:2 0 223G 0 part
│ └─cryptroot 254:0 0 223G 0 crypt /
└─sda3 8:3 0 8.9G 0 part
└─cryptsetup 254:1 0 8.9G 0 crypt [SWAP]
The problem is I can not force the Swap partition to decrypt on boot.When I boot into the system I am able to decrypt it and mount it as you can see from the output above and use it. I was searching for working solution for two days however failed.
In the file /etc/default/grub I have added>
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=b85d8f4d-e220-4000-b3b9-464bc5fc04e8:cryptroot
cryptdevice=UUID=3fd46804-fda5-48bb-9a64-325acce919a7:cryptswap root=/dev/mapper/cryptroot
resume=/dev/mapper/cryptswap loglevel=3 quiet"
In mkinitcpio.conf i added hooks as follows>
HOOKS=(base udev autodetect microcode modconf encrypt kms keyboard keymap consolefont block resume btrfs filesystems fsck)
And in /etc/crypttab have>
cryptswap UUID=3fd46804-fda5-48bb-9a64-325acce919a7 /root/.cryptswap_key.bin none,luks
Both partitions Root and Swap are encrypted with the same passphrase. And as you see I added a also a keyfile for the swap partition.
I have really tried several ways but neither have worked. Here they write about some openswap hooks>
https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption (https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption)
Might it work?
Thanks for any advice!
I made a typo, it should be
lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 232.9G 0 disk
├─sda1 8:1 0 1G 0 part /boot/efi
├─sda2 8:2 0 223G 0 part
│ └─cryptroot 254:0 0 223G 0 crypt /
└─sda3 8:3 0 8.9G 0 part
└─cryptswap 254:1 0 8.9G 0 crypt
Did you see any error somewhere?
You can also enable early log.
By adding `rd.log=file` in `GRUB_CMDLINE_LINUX_DEFAULT=`.
Log will be in /run/initramfs.
Or you can try a swapfile https://btrfs.readthedocs.io/en/latest/Swapfile.html.
Short answer:
Just have crypttab decrypt it and add it on fstab.
I do not think that configuration (adding an encrypted swap in the kernel parameters) will work since:
and:
So instead just use crypttab for it then add it to fstab:
Note: I am using a LUKS on LVM configuration. And I'm using it for boot, not swap. (Though I think the configuration should be similar and will work since the boot partition is not setup atop of an lvm. Check my configurations and lsblk table below for reference.)
In my setup I left the crypttab entry with key with no options:
/etc/crypttab
encrypted-boot UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /directory-sample/keyfile
My boot partition isn't included in the kernel parameters:
/etc/default/grub
GRUB_CMDLINE_LINUX="cryptdevice=UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX:encrypted-root root=/dev/volumegroup/lvroot"
my hooks:
HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems fsck)
my fstab
# /dev/mapper/encrypted-boot
UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /boot ext4 rw,relatime 0 2
What my configuration looks like:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
nvme0n1 259:0 0 0G 0 disk
├─nvme0n1p1 259:1 0 0M 0 part /boot/efi
├─nvme0n1p2 259:2 0 0G 0 part
│ └─encrypted-boot 254:4 0 0G 0 crypt /boot
└─nvme0n1p3 259:3 0 0G 0 part
└─encrypted-root 254:0 0 0G 0 crypt
├─volumegroup-lvswap 254:1 0 0G 0 lvm [SWAP]
├─volumegroup-lvroot 254:2 0 0G 0 lvm /.snapshots
│ /var/cache
│ /var/log
│ /
└─volumegroup-lvhome 254:3 0 0G 0 lvm /home
A question and a suggestion. Why not use LVM on LUKS?
https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS
Mine is a similar setup on yours but not quite (LUKS on LVM).
I'm also using btrfs.
I wanted to use LUKS2 LVM on LUKS but grub doesn't support argon2 for LUKS2 officially and I didn't want to use some makeshift patches hence the strange setup.