# Hibernation with encrypted swap

## ippo

Hi,

I want to protect my private data on my laptop (supposing my laptop will be stolen). Im not working for NASA,World Bank or UEFA  :Wink:  but I want cover my private mail, photo or documents, thus i don`t need paranoic level of protection.

I want cover my /home partition. I encrypted it using this manual:

http://tredosoft.com/encrypt_home_directory_fedora_9

Encryption of /home partition works great, but probably i need encrypt my swap and /tmp too. I tried the way from fedora site but my gentoo can`t execute fedora`s script  :Smile: 

Ok, i encrypted swap and /tmp this way (section "Encrypting swap and /tmp/")

http://en.gentoo-wiki.com/wiki/DM-Crypt#Encrypting_swap_and_.2Ftmp.2F

and it works but... i can hibernate my system but not resume. I think that grub can`t read encrypted swap partition until dm-crypt starts but when dm-crypt starts it is too late, because system starts on normal boot.

NOTICE:

I`m using pm-utils to hibernate + kernel options. It works perfectly with gnome-power-manager or console. I`m not using initrd.

When i encrypted swap i changed kernel defaults partition and grub.conf line from /dev/hda2 to /dev/mapper/crypt-swap (crypt-swap is from /etc/conf.d/dmcrypt) but system starts with "boot" not with "resume".

```

cat /etc/conf.d/dmcrypt 

# /etc/conf.d/dmcrypt

# For people who run dmcrypt on top of some other layer (like raid),

# use rc_need to specify that requirement.  See the runscript(8) man

# page for more information.

#--------------------

# Instructions

#--------------------

# Note regarding the syntax of this file.  This file is *almost* bash,

# but each line is evaluated separately.  Separate swaps/targets can be

# specified.  The init-script which reads this file assumes that a

# swap= or target= line starts a new section, similar to lilo or grub

# configuration.

# Note when using gpg keys and /usr on a separate partition, you will

# have to copy /usr/bin/gpg to /bin/gpg so that it will work properly

# and ensure that gpg has been compiled statically.

# See http://bugs.gentoo.org/90482 for more information.

# Note that the init-script which reads this file detects whether your

# partition is LUKS or not. No mkfs is run unless you specify a makefs

# option.

# Global options:

#----------------

# Max number of checks to perform (1 per second)

#dmcrypt_max_timeout=120

# Arguments:

#-----------

# target=<name>                      == Mapping name for partition.

# swap=<name>                        == Mapping name for swap partition.

# source='<dev>'                     == Real device for partition.

# key='</path/to/keyfile>[:<mode>]'  == Fullpath from / or from inside removable media.

# remdev='<dev>'                     == Device that will be assigned to removable media.

# gpg_options='<opts>'               == Default are --quiet --decrypt

# options='<opts>'                   == cryptsetup, for LUKS you can only use --readonly

# loop_file='<file>'                 == Loopback file.

# pre_mount='cmds'                   == commands to execute before mounting partition.

# post_mount='cmds'                  == commands to execute after mounting partition.

#-----------

# Supported Modes

# gpg               == decrypt and pipe key into cryptsetup.

#                  Note: new-line character must not be part of key.

#                  Command to erase \n char: 'cat key | tr -d '\n' > cleanKey'

#--------------------

# dm-crypt examples

#--------------------

## swap

# Swap partitions. These should come first so that no keys make their

# way into unencrypted swap.

# If no options are given, they will default to: -c aes -h sha1 -d /dev/urandom

# If no makefs is given then mkswap will be assumed

swap=crypt-swap

source='/dev/hda2'

## /home with passphrase

#target=crypt-home

#source='/dev/hda5'

## /home with regular keyfile

#target=crypt-home

#source='/dev/hda5'

#key='/full/path/to/homekey'

## /home with gpg protected key

#target=crypt-home

#source='/dev/hda5'

#key='/full/path/to/homekey:gpg'

## /home with regular keyfile on removable media(such as usb-stick)

#target=crypt-home

#source='/dev/hda5'

#key='/full/path/to/homekey'

#remdev='/dev/sda1'

##/home with gpg protected key on removable media(such as usb-stick)

#target=crypt-home

#source='/dev/hda5'

#key='/full/path/to/homekey:gpg'

#remdev='/dev/sda1'

##/tmp with regular keyfile

target=crypt-tmp

source='/dev/hda4'

key='/dev/urandom'

options='-c aes-cbc-essiv:sha256'

pre_mount='/sbin/mkfs.ext3 -L crypto-tmp ${dev}'

post_mount='chown root:root ${mount_point}; chmod 1777 ${mount_point}'

## Loopback file example

#mount='crypt-loop-home'

#source='/dev/loop0'

#loop_file='/mnt/crypt/home'

```

My /etc/fstab

```

proc         /proc      proc      defaults   0   0

/dev/hda1      /      ext3      noatime      0   1

/dev/mapper/crypt-swap   none      swap      sw

#/dev/hda2      none      swap      sw      0   0

/dev/mapper/crypt-tmp   /tmp      ext3      auto,noatime   0   2

shm         /dev/shm   tmpfs      nodev,nosuid,noexec   0 0

```

1. What have i do to get working hibernation with encrypted swap? Have i using initrd and/or tuxonice and/or whatever?

NOTICE: I want plainest way to reach it, something like "do and forget", especially i don`t want to do something after upgrade system  :Wink: 

Probably it is possible using luks to encrypt swap:

http://forums.fedoraforum.org/showthread.php?t=181835

2. Is possible use one way - not mixing luks and dm-crypt? It looks like possible - dm-crypt config has section for /home...

3. What about truecrypt? I heard that it is easier way to encryp?

4. Sorry for my english but it isn`t my native. It is reason for i can`t understand gentoo manuals like:

http://en.gentoo-wiki.com/wiki/DM-Crypt_with_LUKS

http://en.gentoo-wiki.com/wiki/DM-Crypt

5. I don`t know where place this post, in "Kernel @ Hardware" or "Unsupported Software" (if need be replaced, please do it)

Best regards

----------

## idella4

ippo,

just here is fine.

 *Quote:*   

> 
> 
> /dev/hda2 t

 

eeeek.  This has been in posts time * time again.  /dev/hda was surpassed I don't know when, but a long timeago.  udev support I gather is not entirely dropped but is on its way.

udev on most systems employs scsi emulation.

do you have your config looking like this?

 *Quote:*   

> 
> 
> │ │           <*> ATA/ATAPI/MFM/RLL support (DEPRECATED)  --->                                 │ │   
> 
>   │ │               SCSI device support  --->                                                    │ │   
> ...

 

or  *Quote:*   

> 
> 
> │ │           <*> Parallel port support  --->                                                  │ │   
> 
>   │ │           -*- Plug and Play support  --->                                                  │ │   
> ...

 

If so, that's a fundamental to straighten out.  One of my kernels has the DEPRECATED section checked and running, but for me it's not an issue, and it's one one of them.

I am in the process of looking at this encryption stuff, so in that arena you're ahead of me.

Adjust this & repost, if unsure how to adjust, we're still here.

----------

## ippo

idella4

Thanks for you reply. My kernel config:

[IMG]http://img508.imageshack.us/img508/225/zrzuto.png[/IMG]

I`m always using stable distribution; former - debian lenny, now - gentoo stable. I like /dev/hda because it is written in human language  :Wink:  and until now works (still work if i don`t use encrypted swap).[/b]

----------

## NeddySeagoon

ippo,

A few things ...

1. make friends with wgetpaste. 

```
 emerge wgetpaste
```

The you can post files and command outputs directly to the web

with 

```
<command> | wgetpaste
```

 or 

```
wgetpaste /path/to/file
```

The post the URL you get back. Only use it for big files as the posts stay on the web for about a month. This limits the usefulness of forums threads to other readers later.

2. you will have problems updating udev sometime soon. All your /dev/hd* nodes will vanish. You need to update to libata

3. encryped swap makes an initrd essential. As you say, the unaided kernel cannot read the encrypted swap file. Thus you need an unencrypted intrd to get dm-crypt running, ask you for the key phrase and so on.

----------

## ippo

 *NeddySeagoon wrote:*   

> 
> 
> ...
> 
> 1. make friends with wgetpaste...

 

Ok, done

 *NeddySeagoon wrote:*   

> 
> 
> 2. you will have problems updating udev sometime soon. All your /dev/hd* nodes will vanish. You need to update to libata

 

Ok, done

Thanks a lot.

 *NeddySeagoon wrote:*   

> 
> 
> 3. encryped swap makes an initrd essential. ...

 

Ok, i`ll try

Still not working - i have no idea to do it - i tried this way: http://en.gentoo-wiki.com/wiki/Initramfs

Gentoo wiki is too complicated to me - there are tons of scripts to encrypt everything but i want encrypt only swap... (/tmp and /home work).

----------

