80x24.org misc. Free Software, open data formats/protocols discussion
 help / color / mirror / Atom feed
From: Eric Wong <e@80x24.org>
To: misc@80x24.org
Subject: encrypted swap + hibernate on Debian 9 GNU/Linux
Date: Sun, 16 Dec 2018 09:47:52 +0000	[thread overview]
Message-ID: <20181216094752.3gi3i6pvr2m2dhg4@dcvr> (raw)

Note: this does NOT cover an encrypted root or other partitions,
ONLY the swap partition which is used for hibernate.

This is intended to update an existing install on an old/slow laptop.
I still use ecryptfs on top of ext4 for home directories, for now;
thus dm-crypt only protects my swap when I hibernate.

My single-core Pentium-M is already taxed, and full-disk encryption
is pointless on public mail archives and git repos of Free Software.


Prerequisites (Linux kernel config):

	CONFIG_BLK_DEV_INITRD=y
	CONFIG_DM_CRYPT=y
	# and probably a few other things, but I already had everything for
	# ecryptfs enabled.  Users of distro-provided kernels need not
	# worry about this section

Debian packages:

	cryptsetup initramfs-tools

lvm2 is NOT used or required, here.  I've never used lvm2 on a laptop.

# Now, destroy any existing (unencrypted) swap and setup an encrypted swap
# replace "/dev/blah2" with whatever device your swap is on (e.g. "/dev/sdz2")

# disable existing swap partition

	swapoff /dev/blah2

# format the partition (you'll set your passphrase here)

	cryptsetup luksFormat /dev/blah2

# open the partition as "/dev/mapper/cswap"

	cryptsetup luksOpen /dev/blah2 cswap

# format the swap partition and give it the label "swap"

	mkswap -L swap /dev/mapper/cswap


# In fstab, make sure you have your existing swap line updated
# to point to the device with the label of "swap" (this is one
# place we don't have to use UUIDs)
==> /etc/fstab <==
LABEL=swap none swap sw 0 0


# Ensure initramfs-tools knows to look at /dev/mapper/cswap for resume
==> /etc/initramfs-tools/conf.d/resume <==
RESUME=/dev/mapper/cswap


# And ensure cryptsetup modules get added to the initramfs image
# I may not need this if I used lvm or a more common setup, but
# it seems required in my case.
==> /etc/cryptsetup-initramfs/conf-hook <==
CRYPTSETUP=y


# Finally, tell grub about the UUID of the partition where the LUKS
# device holds the swap.  This refers to the partition, so the device
# label ("swap" as set above) won't be visible until the LUKS device is open.
# Where $S is "/dev/disk/by-uuid/d5a172b2-ecb1-40d6-8c8a-cd47e8a0ab37" for me
==> /etc/default/grub <==
GRUB_CMDLINE_LINUX="resume=/dev/mapper/cswap cryptopts=source=$S,target=cswap"
# SSD users may add ",discard" after target=cswap to enable TRIM support

Now, generate the initrd and update grub:

	update-initramfs -u
	update-grub

During every boot, you should be prompted for the passphrase
set during "cryptsetup luksFormat ..." to open the LUKS device
and give access to the swap device.  This should allow you
to resume from hibernate.

                 reply	other threads:[~2018-12-16  9:47 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181216094752.3gi3i6pvr2m2dhg4@dcvr \
    --to=e@80x24.org \
    --cc=misc@80x24.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).