[SOLVED] How to enable encrypted swap?

Crunch3R · 2012-07-03 21:42:29

I installed my system with an encrypted swap partition, but it's not working at all.

Here's fstab:

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
/dev/mapper/hda5_crypt /               ext3    errors=remount-ro 0       1
/dev/mapper/hda6_crypt swap     swap    sw              0       0
# /boot was on /dev/hda2 during installation
UUID=1e1175bc-d168-4520-a1d0-297590552d04 /boot           ext3    defaults        0       2
/dev/hdc        /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

and crypttab:

hda5_crypt UUID=eb4f3aa2-b5bb-4e47-9739-0cd23640c30c none luks
hda6_crypt UUID=a6420f26-c22b-4243-9cba-fb2b01e07231 hda5_crypt luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived

How can this be fixed?

Last edited by Crunch3R (2012-07-16 18:40:23)

Tunafish · 2012-07-03 22:28:05

I use encrypted swap and used this guide:
http://madduck.net/docs/cryptdisk/

I compared your fstab+crypttab with mine and didn't notice any (essential) difference.

I'll have a closer look at it tomorrow.

btw: did you install hibernate?

Crunch3R · 2012-07-04 10:39:23

Thanks, Tunafish. I tried following this guide, had some trouble because I pasted the commands after sudo, but finally this is how it went:

root@crunchbang:~# dd if=/dev/zero of=/dev/sda6
dd: writing to `/dev/sda6': No space left on device
1982465+0 records in
1982464+0 records out
1015021568 bytes (1.0 GB) copied, 115.252 s, 8.8 MB/s
 
root@crunchbang:~#  /lib/cryptsetup/scripts/decrypt_derived hda5_crypt \
>   | cryptsetup luksFormat /dev/sda6 --key-file -
root@crunchbang:~# /lib/cryptsetup/scripts/decrypt_derived hda5_crypt \
>   | cryptsetup luksOpen /dev/sda6 hda6_crypt --key-file -
root@crunchbang:~# mkswap /dev/mapper/hda6_crypt
mkswap: /dev/mapper/hda6_crypt: warning: don't erase bootbits sectors
        on whole disk. Use -f to force.
Setting up swapspace version 1, size = 990200 KiB
no label, UUID=1b09171f-76f7-428a-a199-bd5be757f797

root@crunchbang:~# swapon -a
root@crunchbang:~# swapon -s
Filename                Type        Size    Used    Priority
/dev/dm-2                               partition    990196    0    -1

Seems to be working fine, I'll see if it holds. And I'll install hibernate now.

Crunch3R · 2012-07-04 11:55:36

Well, it doesn't hold, I have to repeat the process every time I boot sad

Tunafish · 2012-07-04 13:14:05

Crunch3R wrote:

Well, it doesn't hold, I have to repeat the process every time I boot

I don't know what's wrong...
I use
/dev/sda1 as /boot
/dev/sda5 as / --> sda5_crypt
/dev/sda6 as swap --> sda6_crypt
/dev/sda7 as /home --> sda7_crypt

Here's what I did to get the swap working:

as root:
swapoff /dev/mapper/sda6_crypt
cryptsetup luksClose sda6_crypt
dd if=/dev/urandom of=/dev/sda6
/lib/cryptsetup/scripts/decrypt_derived sda5_crypt \
  | cryptsetup luksFormat /dev/sda6 --key-file -
/lib/cryptsetup/scripts/decrypt_derived sda5_crypt \
  | cryptsetup luksOpen /dev/sda6 sda6_crypt --key-file -
mkswap /dev/mapper/sda6_crypt

this is my /etc/crypttab:

sda5_crypt UUID=239ec8a9-e6d5-4b13-a5a8-74c7edbba1ef none luks
sda6_crypt UUID=4901d16a-b7e7-460c-9c27-5a6363045eee sda5_crypt luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived
sda7_crypt UUID=f5152653-698c-4df8-893b-18a6674b38d6 /etc/keys/sda7.luks luks

and /etc/fstab:

# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
/dev/mapper/sda5_crypt /               ext4    commit=120,errors=remount-ro 0       1
UUID=52e6d682-1d43-4454-af33-0bfb2e50e70e /boot           ext4    defaults        0       2
/dev/mapper/sda7_crypt /home           ext4    defaults        0       2
/dev/mapper/sda6_crypt swap swap sw 0 0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto     0       0

To replace /dev/sdaX with UUID, use

ls -l /dev/disk/by-uuid/

after that:

sudo apt-get install hibernate

and edit /etc/initramfs-tools/conf.d/resume, where UUID is the UUID of /dev/dm-1:

RESUME=UUID=15a5df64-f2a6-4a9c-8b82-4fb262da7a3e

Notice the difference with the UUID of sda6_crypt in /etc/crypttab

At last:

sudo update-initramfs -u -k all

HTH,
Tuna

Crunch3R · 2012-07-04 20:47:24

Tunafish wrote:

Crunch3R wrote:
Well, it doesn't hold, I have to repeat the process every time I boot
I don't know what's wrong...
I use
/dev/sda1 as /boot
/dev/sda5 as / --> sda5_crypt
/dev/sda6 as swap --> sda6_crypt
/dev/sda7 as /home --> sda7_crypt

Same here for 5 and 6.

Tunafish wrote:

Here's what I did to get the swap working:[...]

Did the exact same thing, except for using zero instead of urandom for time's sake, I used the guide you linked.

I've got exactly the same setup in crypttab and fstab (regarding the two entries that matter).

Tunafish wrote:

To replace /dev/sdaX with UUID, use
ls -l /dev/disk/by-uuid/

But replace it where? I already have UUIDs in crypttab.

Tunafish wrote:

edit /etc/initramfs-tools/conf.d/resume, where UUID is the UUID of /dev/dm-1:
RESUME=UUID=15a5df64-f2a6-4a9c-8b82-4fb262da7a3e
Notice the difference with the UUID of sda6_crypt in /etc/crypttab

By dm-1 you mean the 'dm-X' of my root partition, right? Should the /etc/initramfs-tools/conf.d/resume just contain this one line (don't have the file)?
What is this particular UUID?
What difference? Oh, between a6420f26... and 1b09171f... that mkswap returned, I see...
Thanks.

Tunafish · 2012-07-04 21:03:22

Crunch3R wrote:

But replace it where? I already have UUIDs in crypttab.

I didn't, so I had to replace them.

Crunch3R wrote:

By dm-1 you mean the 'dm-X' of my root partition, right? Should the /etc/initramfs-tools/conf.d/resume just contain this one line (don't have the file)?
What is this particular UUID?
What difference? Oh, between a6420f26... and 1b09171f... that mkswap returned, I see...
Thanks.

You have to tell hibernate which partition it has to use for resume:
So you have to create the 'resume' file. There's only one line in that file. And yes, you have to create it yourself.
You can get the UUID of the swap partition (in my case dm-1) with
ls -l /dev/disk/by-uuid/

Does it work?

Last edited by Tunafish (2012-07-04 21:06:46)

Crunch3R · 2012-07-09 18:05:54

I setup and enabled the swap at hda6_crypt, put its UUID in crypttab, put sda6' UUID in /etc/initramfs-tools/conf.d/resume, installed hibernate (is that relevant?). It worked until a reboot, didn't try hibernating though.

Now 'swapon -a' returns:

swapon: /dev/mapper/hda6_crypt: stat failed: No such file or directory

And I have to setup the encrypted swap from the beginning.

Standard swap encryption works ok with the following entry in crypttab:

hda6_crypt /dev/sda6  dev/urandom swap

Tunafish · 2012-07-09 19:58:48

I notice you mix sda and hda... that's a problem...

What's your output of

sudo fdisk -l

?

Lastcoder · 2012-07-09 20:12:15

I discoverd that using UUIDs with encrypted SWAP doesn't work, simply because of the partion is newly generated every boot up and the uuid changes every time .. blkid gives me always other nums ..

that's my entry for crypttab

cryptswap /dev/sda3 /dev/urandom swap

and for fstab

/dev/mapper/cryptswap none swap sw 0 0

Last edited by Lastcoder (2012-07-09 20:15:55)

Tunafish · 2012-07-09 21:18:04

Lastcoder wrote:

I discoverd that using UUIDs with encrypted SWAP doesn't work, simply because of the partion is newly generated every boot up and the uuid changes every time .. blkid gives me always other nums ..

That's not a general rule. Mine stays the same all the time.

Crunch3R · 2012-07-10 11:07:56

Lastcoder wrote:

I discoverd that using UUIDs with encrypted SWAP doesn't work, simply because of the partion is newly generated every boot up and the uuid changes every time .. blkid gives me always other nums ..

Thanks, that was it!
Here's my new crypttab:

hda5_crypt UUID=eb4f3aa2-b5bb-4e47-9739-0cd23640c30c none luks
hda6_crypt /dev/sda6 hda5_crypt luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived

And the swap is running ok.

But hibernate isn't.
Both hibernate and pm-hibernate may 'hibernate' the computer, but then it just boots up as usual and nothing is restored.

hibernate prints

hibernate:Warning: Tuxonice binary signature file not found.

and just before system goes off I can see

ata2: ACPI set timing mode failed status=0x300b

BTW update-initramfs -u -k all printed

W: mdadm: /etc/mdadm/mdadm.conf defines no arrays.
W: mdadm: no arrays defined in configuration file.

Is that of any relevance?

Should I perhaps mess with grub.cfg as I heard someone advise elsewhere?

Last edited by Crunch3R (2012-07-10 11:09:53)

Tunafish · 2012-07-10 11:51:34

I get to same error when I run hibernate, although it hibernates fine.
It's 'just' a bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482815

Can you post the output of

sudo fdisk -l

?
Did you look at the mix of hda and sda in your files? Is that right? Do you use a different hd for the swap? Or is this all on one harddrive?

Crunch3R · 2012-07-10 12:57:45

Tunafish wrote:

I get to same error when I run hibernate, although it hibernates fine.
It's 'just' a bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482815
Can you post the output of
sudo fdisk -l
?
Did you look at the mix of hda and sda in your files? Is that right? Do you use a different hd for the swap? Or is this all on one harddrive?

I didn't answer because there was no mixup, but thanks for the tip. My system names partitions sdaX, while Statler installer named encrypted volumes hdaX_crypt, fdisk confirms this.

Tunafish · 2012-07-10 13:32:21

Crunch3R wrote:

I didn't answer because there was no mixup, but thanks for the tip. My system names partitions sdaX, while Statler installer named encrypted volumes hdaX_crypt, fdisk confirms this.

Allright...
I'm out of ideas...

Lastcoder · 2012-07-12 21:47:52

if you encrypt your SWAP hibernate won't work, since hibernate = suspend to disk -> Linux: suspend to SWAP ;-) An encrypted swap will always be cleared at shutdown and boot up ..

http://www.freesoftwaremagazine.com/art … nate_linux

Last edited by Lastcoder (2012-07-12 21:51:03)

Tunafish · 2012-07-14 10:25:42

Lastcoder wrote:

if you encrypt your SWAP hibernate won't work, since hibernate = suspend to disk -> Linux: suspend to SWAP ;-) An encrypted swap will always be cleared at shutdown and boot up ..

Doesn't have to be.... I'm using encrypted swap for a long time already.
I used information from this guide: http://madduck.net/docs/cryptdisk/

Tunafish · 2012-07-20 11:13:07

Hey Crunch3R, you marked this [solved]. What did you do to fix this?

CrunchBang Linux

SEARCH

#1 2012-07-03 21:42:29

[SOLVED] How to enable encrypted swap?

#2 2012-07-03 22:28:05

Re: [SOLVED] How to enable encrypted swap?

#3 2012-07-04 10:39:23

Re: [SOLVED] How to enable encrypted swap?

#4 2012-07-04 11:55:36

Re: [SOLVED] How to enable encrypted swap?

#5 2012-07-04 13:14:05

Re: [SOLVED] How to enable encrypted swap?

#6 2012-07-04 20:47:24

Re: [SOLVED] How to enable encrypted swap?

#7 2012-07-04 21:03:22

Re: [SOLVED] How to enable encrypted swap?

#8 2012-07-09 18:05:54

Re: [SOLVED] How to enable encrypted swap?

#9 2012-07-09 19:58:48

Re: [SOLVED] How to enable encrypted swap?

#10 2012-07-09 20:12:15

Re: [SOLVED] How to enable encrypted swap?

#11 2012-07-09 21:18:04

Re: [SOLVED] How to enable encrypted swap?

#12 2012-07-10 11:07:56

Re: [SOLVED] How to enable encrypted swap?

#13 2012-07-10 11:51:34

Re: [SOLVED] How to enable encrypted swap?

#14 2012-07-10 12:57:45

Re: [SOLVED] How to enable encrypted swap?

#15 2012-07-10 13:32:21

Re: [SOLVED] How to enable encrypted swap?

#16 2012-07-12 21:47:52

Re: [SOLVED] How to enable encrypted swap?

#17 2012-07-14 10:25:42

Re: [SOLVED] How to enable encrypted swap?

#18 2012-07-20 11:13:07

Re: [SOLVED] How to enable encrypted swap?

Board footer