LUKS: automatically decrypt swap partition (boot/hibernation) providing password only once

Hi!
I have a fresh installation of Tumbleweed on a Lenovo T580 notebook. The SSD is encrypted via LUKS during installation – including a separate swap partition to use for hibernation. At the moment the root partition is already decrypted automatically without providing an additional key file as stated here:

Automatically_decrypt_the_root_partition

What I also would like to accomplish is to decrypt the swap partition without having to provide the password twice, like it is described here:

Additional_steps_when_using_hibernation_with_encrypted_swap_partition

Unfortunately, this does not work as expected. I still have to provide the password twice (one for Grub and one for swap as I understand it) – at boot time as well as on waking up from hibernation.

First of all there is one general lack of understanding: Do I have to provide an additional key file to decrypt the swap partition automatically like this was the case before Grub was able to decrypt root automatically? At the moment I do not provide a separate key file, cause the Support Database is somewhat unclear about this (for me).

These are the specific steps I have taken so far:

lsblk -o +UUID

nvme0n1p3 259:3  0  31.1G  0 part         ebdb25fa-de4b-453e-aac9-13aeb9cd0bb1
cr_swap 254:1    0  31.1G  0 crypt [SWAP] 0cf5e904-7249-4700-af64-2a33853b5bc9
/etc/crypttab

cr_swap  UUID=ebdb25fa-de4b-453e-aac9-13aeb9cd0bb1  none  x-initrd.attach,force
cr_root  UUID=0a9af5f4-f126-49af-8a9d-c63ff5725fb4  none  x-initrd.attach    
/etc/dracut.conf.d/99-resume.conf

add_dracutmodules+=" resume "

There is another file ‘99-debug.conf’ present which I left untouched to not mess with system generated configs. I hope that’s just inelegant and not problematic.

Rebuild the initrd via:

dracut -f

Finally I added ‘resume’ to the kernel parameters via Yast:

splash=silent quiet security=apparmor resume=UUID=0cf5e904-7249-4700-af64-2a33853b5bc9

Please let me know if further information is required. And please bear with my dangerous half-knowledge. Any help much appreciated.

grub will forward decrypted key to the initrd only for the root partition. If you want to decrypt anything else unattended, you need to arrange it yourself. One possibility is to store the unencrypted key in initrd and reference it in /etc/crypttab.

Have a look at your different UUID for cr_swap in output of lsblk and entry in crypttab file.

And in crypttab none has to be replaced with your path to rootkey file explained in description given at your linked site.

@arvidjaar
OK, thanks for the clarification. I will handle this as shown in the Support Database.

@Robo-Tron
Thanks for the suggestion. I think this is correct, even if this is very misleading. /etc/crypttab was generated by the system – the only thing I added was ‘,force’ (if I remember correctly) for the swap partition. /etc/crypttab is expecting the UUID of the >en<crypted(?) partition using the label ‘cr_swap’. That said, the output of lsblk shows two partitions for every LUKS encrypted partition – but ‘cr_swap’ of TYPE ‘crypt [SWAP]’ is in fact the >de<crypted partion (based on the >en<crypted partition of TYPE ‘part’ one level above). If I am not horribly wrong the label ‘cr_swap’ refers to the decrypted partition in the output of lsblk but refers to the encrypted partition in /etc/crypttab.

I would appreciate if someone could confirm those ‘mixed up’ labels cause I am walking on unknown territory.

They are not mixed up. cr_swap is the name of the decrypted LUKS container (“mapped device name” in the crypttab man page) both in lsblk output and in /etc/crypttab.

@arvidjaar
But as far as I understand /etc/crypttab is expecting the UUID of the >en<crypted partition - not the other way round. This really confuses me cause /etc/crypttab was generated by the system during installation (cr_swap → encrypted UUID).

Yes you are right. My fault. For me the cr_swap-UUID in crypttab is the same as the partition-UUID for the swap partition.

My entry in crypttap is:

cr_swap  UUID=fbd1cfce-a782-47a8-8360-blabla4711 /.root.key x-initrd.attach,force

And in the bootloader line I did not enter the UUID for resume but the name of the swap:

fsplash=silent resume=/dev/mapper/cr_swap preempt=full quiet security=apparmor

OK, thanks for diving into this. Make my day!

That said, after all there are no ‘mixed up’ labels and everything is fine.

Thanks again!