From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-4.0 required=3.0 tests=ALL_TRUSTED,BAYES_00 shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id 8DBED1F405; Sun, 16 Dec 2018 09:47:52 +0000 (UTC) Date: Sun, 16 Dec 2018 09:47:52 +0000 From: Eric Wong To: misc@80x24.org Subject: encrypted swap + hibernate on Debian 9 GNU/Linux Message-ID: <20181216094752.3gi3i6pvr2m2dhg4@dcvr> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline List-Id: Note: this does NOT cover an encrypted root or other partitions, ONLY the swap partition which is used for hibernate. This is intended to update an existing install on an old/slow laptop. I still use ecryptfs on top of ext4 for home directories, for now; thus dm-crypt only protects my swap when I hibernate. My single-core Pentium-M is already taxed, and full-disk encryption is pointless on public mail archives and git repos of Free Software. Prerequisites (Linux kernel config): CONFIG_BLK_DEV_INITRD=y CONFIG_DM_CRYPT=y # and probably a few other things, but I already had everything for # ecryptfs enabled. Users of distro-provided kernels need not # worry about this section Debian packages: cryptsetup initramfs-tools lvm2 is NOT used or required, here. I've never used lvm2 on a laptop. # Now, destroy any existing (unencrypted) swap and setup an encrypted swap # replace "/dev/blah2" with whatever device your swap is on (e.g. "/dev/sdz2") # disable existing swap partition swapoff /dev/blah2 # format the partition (you'll set your passphrase here) cryptsetup luksFormat /dev/blah2 # open the partition as "/dev/mapper/cswap" cryptsetup luksOpen /dev/blah2 cswap # format the swap partition and give it the label "swap" mkswap -L swap /dev/mapper/cswap # In fstab, make sure you have your existing swap line updated # to point to the device with the label of "swap" (this is one # place we don't have to use UUIDs) ==> /etc/fstab <== LABEL=swap none swap sw 0 0 # Ensure initramfs-tools knows to look at /dev/mapper/cswap for resume ==> /etc/initramfs-tools/conf.d/resume <== RESUME=/dev/mapper/cswap # And ensure cryptsetup modules get added to the initramfs image # I may not need this if I used lvm or a more common setup, but # it seems required in my case. ==> /etc/cryptsetup-initramfs/conf-hook <== CRYPTSETUP=y # Finally, tell grub about the UUID of the partition where the LUKS # device holds the swap. This refers to the partition, so the device # label ("swap" as set above) won't be visible until the LUKS device is open. # Where $S is "/dev/disk/by-uuid/d5a172b2-ecb1-40d6-8c8a-cd47e8a0ab37" for me ==> /etc/default/grub <== GRUB_CMDLINE_LINUX="resume=/dev/mapper/cswap cryptopts=source=$S,target=cswap" # SSD users may add ",discard" after target=cswap to enable TRIM support Now, generate the initrd and update grub: update-initramfs -u update-grub During every boot, you should be prompted for the passphrase set during "cryptsetup luksFormat ..." to open the LUKS device and give access to the swap device. This should allow you to resume from hibernate.