From: Eric Wong <email@example.com> To: firstname.lastname@example.org Subject: encrypted swap + hibernate on Debian 9 GNU/Linux Date: Sun, 16 Dec 2018 09:47:52 +0000 Message-ID: <20181216094752.3gi3i6pvr2m2dhg4@dcvr> (raw) Note: this does NOT cover an encrypted root or other partitions, ONLY the swap partition which is used for hibernate. This is intended to update an existing install on an old/slow laptop. I still use ecryptfs on top of ext4 for home directories, for now; thus dm-crypt only protects my swap when I hibernate. My single-core Pentium-M is already taxed, and full-disk encryption is pointless on public mail archives and git repos of Free Software. Prerequisites (Linux kernel config): CONFIG_BLK_DEV_INITRD=y CONFIG_DM_CRYPT=y # and probably a few other things, but I already had everything for # ecryptfs enabled. Users of distro-provided kernels need not # worry about this section Debian packages: cryptsetup initramfs-tools lvm2 is NOT used or required, here. I've never used lvm2 on a laptop. # Now, destroy any existing (unencrypted) swap and setup an encrypted swap # replace "/dev/blah2" with whatever device your swap is on (e.g. "/dev/sdz2") # disable existing swap partition swapoff /dev/blah2 # format the partition (you'll set your passphrase here) cryptsetup luksFormat /dev/blah2 # open the partition as "/dev/mapper/cswap" cryptsetup luksOpen /dev/blah2 cswap # format the swap partition and give it the label "swap" mkswap -L swap /dev/mapper/cswap # In fstab, make sure you have your existing swap line updated # to point to the device with the label of "swap" (this is one # place we don't have to use UUIDs) ==> /etc/fstab <== LABEL=swap none swap sw 0 0 # Ensure initramfs-tools knows to look at /dev/mapper/cswap for resume ==> /etc/initramfs-tools/conf.d/resume <== RESUME=/dev/mapper/cswap # And ensure cryptsetup modules get added to the initramfs image # I may not need this if I used lvm or a more common setup, but # it seems required in my case. ==> /etc/cryptsetup-initramfs/conf-hook <== CRYPTSETUP=y # Finally, tell grub about the UUID of the partition where the LUKS # device holds the swap. This refers to the partition, so the device # label ("swap" as set above) won't be visible until the LUKS device is open. # Where $S is "/dev/disk/by-uuid/d5a172b2-ecb1-40d6-8c8a-cd47e8a0ab37" for me ==> /etc/default/grub <== GRUB_CMDLINE_LINUX="resume=/dev/mapper/cswap cryptopts=source=$S,target=cswap" # SSD users may add ",discard" after target=cswap to enable TRIM support Now, generate the initrd and update grub: update-initramfs -u update-grub During every boot, you should be prompted for the passphrase set during "cryptsetup luksFormat ..." to open the LUKS device and give access to the swap device. This should allow you to resume from hibernate.
reply index Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions: You may reply publically to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20181216094752.3gi3i6pvr2m2dhg4@dcvr \ --email@example.com \ --firstname.lastname@example.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
80x24.org misc. Free Software, open data formats/protocols discussion Archives are clonable: git clone --mirror https://80x24.org/misc git clone --mirror http://ou63pmih66umazou.onion/misc Newsgroups are available over NNTP: nntp://news.public-inbox.org/inbox.org.80x24.misc nntp://ou63pmih66umazou.onion/inbox.org.80x24.misc note: .onion URLs require Tor: https://www.torproject.org/ or Tor2web: https://www.tor2web.org/ AGPL code for this site: git clone https://public-inbox.org/ public-inbox