Encrypting swap
Konstantin Svist
fry.kun at gmail.com
Thu May 3 20:04:36 UTC 2012
On 05/03/2012 12:52 PM, Konstantin Svist wrote:
> On 05/03/2012 12:04 PM, Heinz Diehl wrote:
>> On 03.05.2012, Konstantin Svist wrote:
>>
>>> Problem is, I can't seem to find a way to encrypt the swap so that
>>> it would
>>> be usable for hibernation.
>> Have you looked at "luksSuspend" and "luksResume"?
>
> I've only seen them as crytsetup options.. I'll google for those..
>
>
>>> I'm not sure if the "same key" problem exists in Fedora 16, I've tried
>>> setting it up this way and I'm able to boot but not resume.
>> Simply, you can't suspend the device which contains the cryptsetup
>> binary.
>
> That's silly. Grub loads initramfs from an unencrypted /boot
> partition; initramfs knows about encryption and is able to mount root
> after I enter my key. There should be no technical reason why it can't
> mount the swap with the same key immediately after and tell kernel to
> resume from the now-available swap.
>
I see now - what you said applies to luksSuspend/luksResume. I'm
guessing it should probably reside on /boot or inside initramfs for that
reason...
From what I can tell, these commands work for an encrypted separate
partition, e.g. /home, probably not so much for the whole disk. And/or
they should generally be called by other tools, abstracted from the user.
More information about the users
mailing list