Results 1 to 6 of 6

Thread: Encrypted Swap with suspend to disk?

  1. #1

    Default Encrypted Swap with suspend to disk?

    can't recover after suspending to disk with encrypted swap. This is what I have done:

    Code:
    cryptsetup luksFormat /dev/vg/swap --type=plain --key-file=/swap.enc
    cryptsetup open /dev/vg/swap --type=plain --key-file=/swap.enc swapcrypt
    mkswap /dev/mapper/swapcrypt
    Then I add the following to /etc/crypttab:
    Code:
    swapcrypt /dev/vg/swap /swap.enc plain
    And add to /etc/ftab:
    Code:
    /dev/mapper/swapcrypt swap swap defaults 0 0
    Finally, add the key to initrd (also not sure if it's necessary):
    Code:
    echo -e 'install_items+=" /swap.enc "' | sudo tee --append /etc/dracut.conf.d/99-swap-key.conf > /dev/null
    But I cannot recover after suspending to disk. Where am I wrong?

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,507
    Blog Entries
    3

    Default Re: Encrypted Swap with suspend to disk?

    What's the output from:
    Code:
    cat /proc/cmdline
    cat /proc/swaps
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  3. #3

    Default Re: Encrypted Swap with suspend to disk?

    Quote Originally Posted by nrickert View Post
    What's the output from:
    Code:
    cat /proc/cmdline
    cat /proc/swaps
    Code:
    #cat /proc/cmdline
    BOOT_IMAGE=/boot/vmlinuz-4.12.14-lp151.27-default root=/dev/mapper/test-root resume=/dev/mapper/swapcrypt quiet splash=silent mitigations=auto
    
    #cat /proc/swaps
    Filename                                Type            Size    Used    Priority
    /dev/dm-3                               partition       8282108        0       -1
    Note that I manually set the kernel parameters as opensuse was unable to create "resume" parameter.

  4. #4
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,507
    Blog Entries
    3

    Default Re: Encrypted Swap with suspend to disk?

    Quote Originally Posted by djatlas View Post
    Note that I manually set the kernel parameters as opensuse was unable to create "resume" parameter.
    That shouldn't matter, as long as it is set appropriately.

    I rarely try hibernation, because it seems like an ugly hack. I think I last tested it back at openSUSE 13.2.

    At one time, I had a system with nvidia graphics, and resume from hibernation never worked on that system.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  5. #5

    Default Re: Encrypted Swap with suspend to disk?

    Quote Originally Posted by nrickert View Post
    That shouldn't matter, as long as it is set appropriately.

    I rarely try hibernation, because it seems like an ugly hack. I think I last tested it back at openSUSE 13.2.

    At one time, I had a system with nvidia graphics, and resume from hibernation never worked on that system.
    You know, I read your blog post from 2012 about encrypted swap without hibernation. There you said you would prepare another guide covering suspend to disk, but you didn't, and here we go! So would you have done it this way? Have I done everything right?

    For what it's worth, I may never use hibernation, but now that I have gone this far, I'm curious to know the answers.

    In the arch wiki, they've said that:
    If the swap device is on a different device from that of the root file system, it will not be opened by the encrypt hook, i.e. the resume will take place before /etc/crypttab can be used, therefore it is required to create a hook in /etc/mkinitcpio.conf to open the swap LUKS device before resuming.
    Does something like that also applies to opensuse?

  6. #6
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,507
    Blog Entries
    3

    Default Re: Encrypted Swap with suspend to disk?

    Quote Originally Posted by djatlas View Post
    So would you have done it this way? Have I done everything right?
    I normally encrypt the entire LVM, instead of encrypting individual volumes within that LVM. So I've never experimented with encryption quite the way that you are doing it.

    Does something like that also applies to opensuse?
    Arch handles their "initrd" differently, so I don't really know.

    You could maybe look at "dmesg" messages about resuming. Maybe those give a hint.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •