Encrypted Swap with suspend to disk?

can’t recover after suspending to disk with encrypted swap. This is what I have done:


cryptsetup luksFormat /dev/vg/swap --type=plain --key-file=/swap.enc
cryptsetup open /dev/vg/swap --type=plain --key-file=/swap.enc swapcrypt
mkswap /dev/mapper/swapcrypt

Then I add the following to /etc/crypttab:


swapcrypt /dev/vg/swap /swap.enc plain

And add to /etc/ftab:


/dev/mapper/swapcrypt swap swap defaults 0 0

Finally, add the key to initrd (also not sure if it’s necessary):


echo -e 'install_items+=" /swap.enc "' | sudo tee --append /etc/dracut.conf.d/99-swap-key.conf > /dev/null

But I cannot recover after suspending to disk. Where am I wrong?

What’s the output from:


cat /proc/cmdline
cat /proc/swaps


#cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-4.12.14-lp151.27-default root=/dev/mapper/test-root resume=/dev/mapper/swapcrypt quiet splash=silent mitigations=auto

#cat /proc/swaps
Filename                                Type            Size    Used    Priority
/dev/dm-3                               partition       8282108        0       -1

Note that I manually set the kernel parameters as opensuse was unable to create “resume” parameter.

That shouldn’t matter, as long as it is set appropriately.

I rarely try hibernation, because it seems like an ugly hack. I think I last tested it back at openSUSE 13.2.

At one time, I had a system with nvidia graphics, and resume from hibernation never worked on that system.

You know, I read your blog post from 2012 about encrypted swap without hibernation. There you said you would prepare another guide covering suspend to disk, but you didn’t, and here we go! So would you have done it this way? Have I done everything right?

For what it’s worth, I may never use hibernation, but now that I have gone this far, I’m curious to know the answers.

In the arch wiki, they’ve said that:

If the swap device is on a different device from that of the root file system, it will not be opened by the encrypt hook, i.e. the resume will take place before /etc/crypttab can be used, therefore it is required to create a hook in /etc/mkinitcpio.conf to open the swap LUKS device before resuming.

Does something like that also applies to opensuse?

I normally encrypt the entire LVM, instead of encrypting individual volumes within that LVM. So I’ve never experimented with encryption quite the way that you are doing it.

Does something like that also applies to opensuse?

Arch handles their “initrd” differently, so I don’t really know.

You could maybe look at “dmesg” messages about resuming. Maybe those give a hint.