SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'd like to change the current swap partition to encrypted one and still be able to use standard Linux's hibernation (invoked with pm-utils). No other encrypted volumes are required, just swap.
Now if I boot system after hiberation, I can see error messages about /dev/mapper/cryptswap does not exist whereas later a can see this device mounted and working.
Also did remarked LUKS tries to open `/dev/mapper/lukssda2' which I did nowhere defined.
Any idea ?
Last edited by torimus; 07-02-2013 at 12:07 PM.
Reason: missing field in mkinitrd call
Doesn't using hibernate on an encrypted system defeat one of the primary purposes of having the computer encrypted?
If only a data partition is encrypted perhaps it makes sense, as you can lock and unlock it as needed. But when you are encrypting swap typically you are encrypting the operating system partitions also.
LUKS asks for a password to decrypt(unlock) the swap partition at boot, so the whole system snapshot is relatively safe. The primary initialization is handled with init ramdisk stored on an unenrypted partition including unlocking of encrypted ones, so I don't see a contradiction here.
The data stored from memory to an encrypted swap partition at hibernation are inaccessible until proper password is entered at boot. Of course other unencrypted partitions can be read by anyone with physical access to the notebook.
/dev/sda1 unencrypted ext4 system contains linux image and initrd
/dev/sda2 swap partition to be converted to encrypted one
I guess I'm not familiar with what happens when a system starts up from hibernate. I didn't think that a boot was involved, but merely the restoring of RAM and continuing where it left off, which I thought would have meant unlocked disk partitions if they were unlocked when hibernate was initiated (RAM moved to disk).
I'll have to experiment some with hibernate and encrypted partitions.
EDIT: Don't let my side issue disrupt the OP request for assistance. Others please respond to torimus request.
When your system is powered back on from hibernate aren't the disks available without encryption (unlocked)?
When your laptop is stolen from your car in a hibernate state won't the disk data be available unencrypted when it is powered back on?
I'm sure several people on this forum (e.g., Alien Bob, Gazl) can explain the process better than I, but what I have observed is that the LUKS encryption password(s) have to be entered before the hibernated image is restored.
Hibernate completely powers off your system after saving everything to your (hopefully encrypted) swap file. When you turn the system back on, it starts with the normal boot process, loads the initrd, attempts to mount and open your root and and swap files. Because they are encrypted, you are prompted for your encryption password(s) to unlock them. It is only then that the hibernation is detected and the system begins to restore the image from swap.
Now if I boot system after hiberation, I can see error messages about /dev/mapper/cryptswap does not exist whereas later a can see this device mounted and working.
Also did remarked LUKS tries to open `/dev/mapper/lukssda2' which I did nowhere defined.
I don't know about the /dev/mapper/cryptswap error messages you are getting, but the explanation of the -C parameter in the man pages for mkinitrd explains the /dev/mapper/luks<device> name you are seeing.
Code:
-C device list
A colon (:) delimited list of luks encrypted block devices to be unlocked by the initrd using crypt-
setup. All devices that must be unlocked in order to access the root filesystem must be specified.
e.g.
-C /dev/sda2:/dev/sda3
Each unlocked device will be assigned an automatically generated luks device name of the form
luks<device> where '<device>' will be the basename of the encrypted device. e.g.
/dev/mapper/lukssda2
As a convenience to users, where -r specifies one of the device names listed on the -C option it will
be automatically adjusted to use the correct luks device name. i.e.
"-C /dev/sda2 -r /dev/sda2" and
"-C /dev/sda2 -r /dev/mapper/lukssda2"
are equivalent.
(Use with '-r' option).
I don't think you need to use /etc/crypttab if you are unlocking devices via the -C parameter of mkinitrd. I am using LUKS and LVM both and encrypting all partitions except for /boot, so perhaps my situation is different, but I get a double prompt for the LUKS password for each device if I specify it on the -C parm of mkinitrd and also add it to /etc/crypttab.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.