[dm-crypt] Encrypting swap

[dm-crypt] Encrypting swap

[Konstantin Svist]

Hi,

I'm setting up Fedora 16 i686 with [luks] encrypted root on a laptop.

Problem is, I can't seem to find a way to encrypt the swap so that it 
would be usable for hibernation.

* Simple setup for encrypting swap uses a random key generated on each 
boot, so resuming doesn't work.
* Using the same key for swap & root is not recommended because some 
tool caches the password, making the whole thing meaningless [1]
* Using a swap file doesn't work because btrfs is Copy-On-Write, so the 
filesystem may get messed up by hibernate/resume process.

I'm not sure if the "same key" problem exists in Fedora 16, I've tried 
setting it up this way and I'm able to boot but not resume.

Any help appreciated!



[1] 
https://wiki.archlinux.org/index.php/Talk:System_Encryption_with_LUKS_for_dm-crypt#Suspend_to_disk_instructions_are_insecure 

Re: [dm-crypt] Encrypting swap

[Milan Broz]

On 05/10/2012 09:50 PM, Konstantin Svist wrote:
> I'm setting up Fedora 16 i686 with [luks] encrypted root on a laptop.
> 
> Problem is, I can't seem to find a way to encrypt the swap so that it 
> would be usable for hibernation.
> 
> * Simple setup for encrypting swap uses a random key generated on each 
> boot, so resuming doesn't work.

Yes, you cannot use this for hibernation.

But default encrypted Fedora installation uses LUKS, which is suitable
for hibernation. (In fact it encrypts LVM PV, where both root and swap resides.)

> * Using the same key for swap & root is not recommended because some 
> tool caches the password, making the whole thing meaningless [1]

Completely different problem. Fedora init ramdisk will ask for password,
then resumes from hibernation. No passphrase is stored on disk...

Take F16 install DVD, check "encrypt system" in the first screen for
new installation.
That's all you need to make it work.

Milan