luks encryption, swap and hibernate

I'm trying to get hibernation to work with a luks encrypted swap partition. There are reports of success with this on ubuntu and fedora. As far as I can tell, the key is creating an appropriate initrd, or using tuxonice. I have tried creating a "normal" encrypted swap partition (with a password). I have tried creating an initrd with the -C option to load the necessary modules. I cannot seem to get it to request a password for the swap partition at boot. I've looked through the mkinitrd script, and have seen mkinitrd patches for fedora, but I have very limited knowledge of shell scripting and much of what I've seen is for the moment over my head. I'm happy to keep exploring, but I was wondering:

Has anyone got this to work on Slackware?

Brian

I went a little bit of a different route and used LVM on top of a LUKS encrypted partition, then used one logical volume for swap. It makes handling an encrypted installation a whoooooooole lot easier since then you only have to enter one password in order two open up your system. The only caveat for getting suspend to disk working is that you have to make sure and give it the right disk mapping for the swap partition. I found the kernel Documentation/power/swsusp-dmcrypt.txt to be really useful in editing the initrd init script. Of course, the assumption there is that you're using the kernel's built-in suspend to disk, and not the suspend2 patches, etc. I'm afraid I can't be too helpful with that. The other useful source of information I found was on the gentoo-wiki: http://gentoo-wiki.com/SECURITY_Syst..._with_LUKS#FAQ.
Good luck.

EDIT:

Also, if you have at least a working initrd for the root filesystem, you can edit /boot/initrd-tree/init, copy the line that runs /sbin/cryptsetup luksOpen ... ... ... and change the ${LUKSDEV} and $ROOTDEV variables to point directly to your swap partition and mapped name, and it should open without any trouble. The other thing you might have to do is pull out the numeric mapping of your swap partition by running

Code:

ls -l /dev/mapper/whateveryounamedswap

and adding a line in the init right before it switches to the real root partition like this:

Code:

echo foo:bar > /sys/power/resume

Of course, you'll also have to run mkinitrd without any flags to rebuild the initrd.gz, and run lilo again, but that should work.

Hi bl0tt0,

I just wanted to tell you that I really appreciate your help. This is all new to me, and I am unfamiliar with the inner workings of initrd, so it will take me some time to wade through the scripts. I'll certainly post back once I figure it all out.

Brian

Hi!

On slackware-current this is all a bit easier.
I just installed Slackware-current. After the installer booted up, I created a small partition /dev/hda1 to be used as the boot partition, and the rest of the disk was devoted to a single big partition /dev/hda2 which I encrypted using cryptsetup.
On top of that encrypted partition I created a LVM PV (physical volume), then a VG (volume group) called "cryptvg" (any name will do) and then 3 LV's (logical volumes) called 'root' 'home' and 'swap' (again, any name will do), one for / and /home partitions and the 3rd to be used as swap partition. I made sure to create the swap volume bigger than the total amount of RAM I have in my laptop.
Then I created device nodes for these and enabled them:

Code:

vgscan --mknodes && vgchange -ay

I had to configure swap before running setup. The setup program will only recognize swap partitions when they are 'real' partitions of type '82' (Linux swap): so I ran:

Code:

mkswap -v1 /dev/cryptvg/swap && swapon /dev/cryptvg/swap

After that, I started setup, and installed Slackware to /dev/cryptvg/root (the LV I created for the root partition) and /dev/cryptvg/home (which is the LV I created for the /home partition). Do not forget to create a separate entry for a /boot partition! On an encrypted system you need an unencrypted /boot so that your kernel and initrd can be loaded into memory when booting the computer.

At the end of the install, do not reboot! You should 'chroot' into your newly installed system:

Code:

chroot /mnt

First, edit the /etc/fstab in the chroot and add a line for your swap:

Code:

/dev/cryptvg/swap  swap  swap  defaults  0 0

Then, create an initrd with support for LVM, LUKS and hibernation (my root filesystem is ext3):

Code:

mkinitrd -c -k 2.6.24.3-smp -m ext3 -f ext3 -r /dev/cryptvg/root -C /dev/hda2 -L -h /dev/cryptvg/swap

Then, edit /etc/lilo.conf and change a couple of things:

Add an "append" line (or if you already added an append option, just add 'resume=/dev/cryptvg/swap' to that line):

Code:

append = "resume=/dev/cryptvg/swap"

Change your entry for the Linux kernel so that it uses the generic kernel, plus your initrd (the combination of a huge kernel plus initrd will not work):

Code:

image = /boot/vmlinuz-generic-smp-2.6.24.3-smp
  initrd = /boot/initrd.gz
  root = /dev/cryptvg/root
  label = linux
  read-only

Then, run "lilo" to make the changes stick.
Now you can safely reboot into your newly installed Slackware. On boot, you will be asked for your LUKS passphrase which will unlock the encrypted container. After that, the LVM will be configured and Slackware will start as usual.

This will give you a fully encrypted system including the swap (well, minus the /boot partition). When you hibernate (suspend to disk) your RAM will be saved to that swap partition, and when the power is off, this will be all encrypted! No one will be able to get to your data now, because when you boot again, you will first have to enter that LUKS passphrase again before your hibernation image can be loaded back into RAM.

Using a proper set of acpi scripts you can now make your hibernation process very easy. I just need to press my laptop's POWER button briefly to hibernate the machine (suspend to disk), and closing the lid will suspend Slackware to RAM (sleep mode).
A copy of the acpi scripts I received from Robby Workman are here: http://www.slackware.com/~alien/tools/acpi.tar.gz


Cheers Eric

A minor caveat: the acpi scripts are at least partially Thinkpad specific, especially the hotkey stuff, so your mileage may vary.

EDIT: With the changes in Slackware current today (Wed Mar 26 00:21:34 CDT 2008) the problem no longer exists, the installer recognizes the swap partition like alienbob wrote above.

-- old post follows --

Quote:

Originally Posted by Alien Bob Hi! I had to configure swap before running setup. The setup program will only recognize swap partitions when they are 'real' partitions of type '82' (Linux swap): so I ran: Code: mkswap -v1 /dev/cryptvg/swap && swapon /dev/cryptvg/swap

This doesn't seem to work per se here. I am not familiar with LVM, so take my comment merely as a question and not as some sort of rant .

If I use cfdisk to create a swap (partition type 82) on /dev/cryptvg/swap BEFORE the line you gave above then the swap space is recognized. I'm not sure though if that is how it should work. If I don't treat the swap space like that, the installer won't pick up the swap unfortunately and only tells me that I didn't create one with fdisk. I'm doing this in a virtual machine, but I guess that shouldn't make any difference.
Do I have to use fdisk/cfdisk to explicitly set the partition type of 82 for swap space?

Big thanks to Eric H.! I finally upgraded to -current and followed Eric's procedure and it worked great. (I see it has also been added to the CRYPT readme.)

I am able to hibernate and resume from a console and with the nv video driver. I haven't had luck with the nvidia driver yet, and can't suspend, but those will be topics for another thread. luks/swap/hibernate work just fine.

EDIT
nvidia driver works when I add 'Options "NvAgp" "1"' to xorg.conf
/EDIT

Thanks again (and for the mirror-slackware script).

Brian