80x24.org misc. Free Software, open data formats/protocols discussion
 help / color / mirror / Atom feed
* encrypted swap + hibernate on Debian 9 GNU/Linux
@ 2018-12-16  9:47 Eric Wong
  0 siblings, 0 replies; only message in thread
From: Eric Wong @ 2018-12-16  9:47 UTC (permalink / raw)
  To: misc

Note: this does NOT cover an encrypted root or other partitions,
ONLY the swap partition which is used for hibernate.

This is intended to update an existing install on an old/slow laptop.
I still use ecryptfs on top of ext4 for home directories, for now;
thus dm-crypt only protects my swap when I hibernate.

My single-core Pentium-M is already taxed, and full-disk encryption
is pointless on public mail archives and git repos of Free Software.

Prerequisites (Linux kernel config):

	# and probably a few other things, but I already had everything for
	# ecryptfs enabled.  Users of distro-provided kernels need not
	# worry about this section

Debian packages:

	cryptsetup initramfs-tools

lvm2 is NOT used or required, here.  I've never used lvm2 on a laptop.

# Now, destroy any existing (unencrypted) swap and setup an encrypted swap
# replace "/dev/blah2" with whatever device your swap is on (e.g. "/dev/sdz2")

# disable existing swap partition

	swapoff /dev/blah2

# format the partition (you'll set your passphrase here)

	cryptsetup luksFormat /dev/blah2

# open the partition as "/dev/mapper/cswap"

	cryptsetup luksOpen /dev/blah2 cswap

# format the swap partition and give it the label "swap"

	mkswap -L swap /dev/mapper/cswap

# In fstab, make sure you have your existing swap line updated
# to point to the device with the label of "swap" (this is one
# place we don't have to use UUIDs)
==> /etc/fstab <==
LABEL=swap none swap sw 0 0

# Ensure initramfs-tools knows to look at /dev/mapper/cswap for resume
==> /etc/initramfs-tools/conf.d/resume <==

# And ensure cryptsetup modules get added to the initramfs image
# I may not need this if I used lvm or a more common setup, but
# it seems required in my case.
==> /etc/cryptsetup-initramfs/conf-hook <==

# Finally, tell grub about the UUID of the partition where the LUKS
# device holds the swap.  This refers to the partition, so the device
# label ("swap" as set above) won't be visible until the LUKS device is open.
# Where $S is "/dev/disk/by-uuid/d5a172b2-ecb1-40d6-8c8a-cd47e8a0ab37" for me
==> /etc/default/grub <==
GRUB_CMDLINE_LINUX="resume=/dev/mapper/cswap cryptopts=source=$S,target=cswap"
# SSD users may add ",discard" after target=cswap to enable TRIM support

Now, generate the initrd and update grub:

	update-initramfs -u

During every boot, you should be prompted for the passphrase
set during "cryptsetup luksFormat ..." to open the LUKS device
and give access to the swap device.  This should allow you
to resume from hibernate.

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2018-12-16  9:47 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-16  9:47 encrypted swap + hibernate on Debian 9 GNU/Linux Eric Wong

80x24.org misc. Free Software, open data formats/protocols discussion

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://80x24.org/misc
	git clone --mirror http://ou63pmih66umazou.onion/misc

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V1 misc misc/ https://80x24.org/misc \
	public-inbox-index misc

Example config snippet for mirrors.
Newsgroups are available over NNTP:
 note: .onion URLs require Tor: https://www.torproject.org/

AGPL code for this site: git clone https://public-inbox.org/public-inbox.git