[dm-crypt] How to suspend to disk with random encrypted swap

Sven Eschenberg sven at whgl.uni-frankfurt.de
Sun Oct 23 00:27:25 CEST 2016


Not really a cryptsetup question.

You should be aware of the fact, that suspend to disk on a randomly 
encrypted swap cannot work (for obvious reasons). In any way, you'll 
need to start the kernel and give it a way to read the disk image. The 
diskimage however should be encrypted for obvious reasons.

How can you resolve the hen and egg problem?

You can't with complete randomness.

You'll have to either:
1.) have a fixed passphrase for your swap, unlock swap during boot and 
then resume
2.) store your in memory image at some other place than swap, again, 
that place should be encrypted - you could possibly store the image on 
/, then you'll have to unlock / during boot to resume.
3.) forget about suspend alltogether.

To answer your questions to some extent:
The kernel will first try to find a suspend image signature on the 
default swap partition, the location can however be overridden with 
resume=, the gory details are in the kernel's documentation on boot 
parameters. The kernel will resume, if there's an image accessible, this 
can however be overridden with hibernate= .

Regards

-Sven


Am 22.10.2016 um 15:55 schrieb David Niklas:
> Hello,
> I use a random encrypted swap partition, and I want to suspend my system
> to disk. I'm having two problems.
> 1. How does the kernel know where to resume from/at all?
> 2. How do I get the random passphrase for decrypting the swap (and
> remember it)?
>
> Gentoo linux
> cryptsetup 1.7.2
>
> ###### /etc/conf.d/dmcrypt #########
>
> swap=swap
> options=' -c aes -h sha256 -d /dev/urandom '
> source='/dev/sda2'
>
> ####################################
>
> Thanks,
> David
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
>


More information about the dm-crypt mailing list