Skip to main content
Topic: encrypted swap (Read 233 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

encrypted swap

Hello,

I am doing new encrypted installation and have an issue with encrypted swap partition which i want to use for hibernation.I have decided to use UEFI mode with cryptsetup + BTRFS for filesystem.
lsblk>
Code: [Select]
NAME           MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda              8:0    0 232.9G  0 disk  
├─sda1           8:1    0     1G  0 part  /boot/efi
├─sda2           8:2    0   223G  0 part  
│ └─cryptroot  254:0    0   223G  0 crypt /
└─sda3           8:3    0   8.9G  0 part  
  └─cryptsetup 254:1    0   8.9G  0 crypt [SWAP]

The problem is I can not force the Swap partition to decrypt on boot.When I boot into the system I am able to decrypt it and mount it as you can see from the output above and use it. I was searching for working solution for two days however failed.

In the file /etc/default/grub I have added>
Code: [Select]
GRUB_CMDLINE_LINUX_DEFAULT="cryptdevice=UUID=b85d8f4d-e220-4000-b3b9-464bc5fc04e8:cryptroot
cryptdevice=UUID=3fd46804-fda5-48bb-9a64-325acce919a7:cryptswap root=/dev/mapper/cryptroot
resume=/dev/mapper/cryptswap loglevel=3 quiet"

In mkinitcpio.conf i added hooks as follows>
Code: [Select]
HOOKS=(base udev autodetect microcode modconf encrypt kms keyboard keymap consolefont block resume btrfs filesystems fsck)

And in /etc/crypttab have>
Code: [Select]

cryptswap	UUID=3fd46804-fda5-48bb-9a64-325acce919a7	/root/.cryptswap_key.bin    none,luks

Both partitions Root and Swap are encrypted with the same passphrase. And as you see I added a also a keyfile for the swap partition.

I have really tried several ways but neither have worked. Here they write about some openswap hooks>
https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption

Might it work?

Thanks for any advice!

Re: encrypted swap

Reply #1
I made a typo, it should be
Code: [Select]
 lsblk
NAME           MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
sda              8:0    0 232.9G  0 disk  
├─sda1           8:1    0     1G  0 part  /boot/efi
├─sda2           8:2    0   223G  0 part  
│ └─cryptroot  254:0    0   223G  0 crypt /
└─sda3           8:3    0   8.9G  0 part  
  └─cryptswap 254:1    0   8.9G  0 crypt
 

Re: encrypted swap

Reply #3
Short answer:
Just have crypttab decrypt it and add it on fstab.

I do not think that configuration (adding an encrypted swap in the kernel parameters) will work since:
Quote
resume=device
device is the device file of the decrypted (swap) filesystem (citation: https://wiki.archlinux.org/title/Crypttab#resume)

and:
Quote
Note: Compared to the sd-encrypt hook, the encrypt hook does not support:

    Unlocking multiple encrypted disks (archlinux/mkinitcpio/mkinitcpio#231). Only one device can be unlocked in the initramfs.
    Using a detached LUKS header (archlinux/mkinitcpio/mkinitcpio#234).
    Setting additional options that are supported by crypttab.

citation: https://wiki.archlinux.org/title/Crypttab#Using_encrypt_hook

So instead just use crypttab for it then add it to fstab:
Quote
crypttab is read first before fstab (citation: https://wiki.archlinux.org/title/Crypttab#Unlocking_in_late_userspace)



Note: I am using a LUKS on LVM configuration. And I'm using it for boot, not swap. (Though I think the configuration should be similar and will work since the boot partition is not setup atop of an lvm. Check my configurations and lsblk table below for reference.)

In my setup I left the crypttab entry with key with no options:
/etc/crypttab
Code: [Select]
encrypted-boot	UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX	/directory-sample/keyfile

My boot partition isn't included in the kernel parameters:
/etc/default/grub
Code: [Select]
GRUB_CMDLINE_LINUX="cryptdevice=UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX:encrypted-root root=/dev/volumegroup/lvroot"

my hooks:
Code: [Select]
HOOKS=(base udev autodetect modconf kms keyboard keymap consolefont block encrypt lvm2 filesystems fsck)

my fstab
Code: [Select]
# /dev/mapper/encrypted-boot
UUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX       /boot           ext4            rw,relatime     0 2

What my configuration looks like:
Code: [Select]
NAME                  MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
nvme0n1               259:0   0    0G  0 disk  
├─nvme0n1p1           259:1   0    0M  0 part  /boot/efi
├─nvme0n1p2           259:2   0    0G  0 part  
│ └─encrypted-boot    254:4   0    0G  0 crypt /boot
└─nvme0n1p3           259:3   0    0G  0 part  
  └─encrypted-root    254:0    0    0G  0 crypt 
    ├─volumegroup-lvswap 254:1    0    0G  0 lvm   [SWAP]
    ├─volumegroup-lvroot 254:2    0    0G  0 lvm   /.snapshots
    │                                              /var/cache
    │                                              /var/log
    │                                              /
    └─volumegroup-lvhome 254:3    0    0G  0 lvm   /home


A question and a suggestion. Why not use LVM on LUKS?
https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LVM_on_LUKS


Mine is a similar setup on yours but not quite (LUKS on LVM).
I'm also using btrfs.
I wanted to use LUKS2 LVM on LUKS but grub doesn't support argon2 for LUKS2 officially and I didn't want to use some makeshift patches hence the strange setup.