[dm-crypt] How to suspend to disk with random encrypted swap

Heiko Rosemann heiko.rosemann at web.de
Sun Oct 23 12:52:29 CEST 2016


Hi David,

Sven is right, this is not really a cryptsetup question... However, let
me add a few more pointers to his answers:

Basically, you'll have the same problem as someone booting with an
encrypted root fs, so you can start there:
https://wiki.gentoo.org/wiki/Dm-crypt_full_disk_encryption#Generating_an_initramfs
- you'll need to add to your initramfs some code to luksOpen the swap
partition (one way or another) and then start the resuming process. The
swap partition obviously can't be encrypted with a random passphrase,
but probably setting it up just like a "normal" data partition in gentoo
will give you the correct result.

For starting the resuming process, you'll need to write "MAJOR:MINOR" of
your resuming device (probably something like /dev/mapper/swap) into
/sys/power/resume - the way my Slackware does that is the following in
the init script of the initramfs:

  # Resume state from swap
  if [ "$RESUMEDEV" != "" ]; then
    # Find resume device if a label or UUID was given:
    if echo $RESUMEDEV | grep -q "LABEL=" || \
       echo $RESUMEDEV | grep -q "UUID=" ; then
      RESUMEDEV=$(findfs $RESUMEDEV)
    elif ls -l $RESUMEDEV | grep -q "^l" ; then
      RESUMEDEV=$(readlink -f $RESUMEDEV)
    fi
    echo "Trying to resume from $RESUMEDEV"
    RESMAJMIN=$(ls -l $RESUMEDEV | tr , : | awk '{ print $5$6 }')
    echo $RESMAJMIN > /sys/power/resume
  fi

I don't know if gentoo has a similar setup ready out of the box.

Good luck, and remember to backup early and often ;)
Heiko


On 10/23/2016 12:27 AM, Sven Eschenberg wrote:
> Not really a cryptsetup question.
> 
> You should be aware of the fact, that suspend to disk on a randomly 
> encrypted swap cannot work (for obvious reasons). In any way, you'll 
> need to start the kernel and give it a way to read the disk image. The 
> diskimage however should be encrypted for obvious reasons.
> 
> How can you resolve the hen and egg problem?
> 
> You can't with complete randomness.
> 
> You'll have to either:
> 1.) have a fixed passphrase for your swap, unlock swap during boot and 
> then resume
> 2.) store your in memory image at some other place than swap, again, 
> that place should be encrypted - you could possibly store the image on 
> /, then you'll have to unlock / during boot to resume.
> 3.) forget about suspend alltogether.
> 
> To answer your questions to some extent:
> The kernel will first try to find a suspend image signature on the 
> default swap partition, the location can however be overridden with 
> resume=, the gory details are in the kernel's documentation on boot 
> parameters. The kernel will resume, if there's an image accessible, this 
> can however be overridden with hibernate= .
> 
> Regards
> 
> -Sven
> 
> 
> Am 22.10.2016 um 15:55 schrieb David Niklas:
>> Hello,
>> I use a random encrypted swap partition, and I want to suspend my system
>> to disk. I'm having two problems.
>> 1. How does the kernel know where to resume from/at all?
>> 2. How do I get the random passphrase for decrypting the swap (and
>> remember it)?
>>
>> Gentoo linux
>> cryptsetup 1.7.2
>>
>> ###### /etc/conf.d/dmcrypt #########
>>
>> swap=swap
>> options=' -c aes -h sha256 -d /dev/urandom '
>> source='/dev/sda2'
>>
>> ####################################
>>
>> Thanks,
>> David
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt at saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
>>
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 


-- 
eMails verschlüsseln mit PGP - privacy is your right!
Mein PGP-Key zur Verifizierung: http://pgp.mit.edu


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20161023/904bbca6/attachment.asc>


More information about the dm-crypt mailing list