luks encrypted swap with key and passphrase

Questions about Grub, UEFI,the liveCD and the installer
Forum rules
Before you post please read this

luks encrypted swap with key and passphrase

Postby zje on Tue Aug 18, 2009 5:54 pm

I have my entire / partition encrypted (as per management requirement) and I also want to add an encrypted swap partition. This is on a laptop (dell E6500).
I would like to have the encrypted swap partition use a keyfile and a passphase, so that swap will automatically be activated at boot via keyfile and need a phrase at resume.

To do so, I created a random key:
Code: Select all
mint mapper # dd if=/dev/urandom of=/root/swapkey count=512



and then enabled that for the device:
Code: Select all
mint ~ # cryptsetup luksFormat /dev/sda7 /root/swapkey


and then added my swap passphrase:
Code: Select all
mint ~ # cryptsetup luksAddKey /dev/sda7 --key-file /root/swapkey --key-slot 1


I then tried opening it with both methods:
Code: Select all
mint mapper # cryptsetup luksOpen --key-file /root/swapkey /
dev/sda7 cswap
key slot 0 unlocked.
Command successful.
mint mapper # cryptsetup luksOpen /dev/sda7 cswap
Enter LUKS passphrase:
key slot 1 unlocked.
Command successful.


I then made the swap partition and enabled it:
Code: Select all
mint mapper # mkswap /dev/mapper/cswap
mint mapper # swapon /dev/mapper/cswap
mint mapper # swapon -s
Filename                                Type            Size   
Used    Priority
/dev/mapper/cswap                       partition       9421564 0       -1


Next, I enabled resume in the initrd:
Code: Select all
RESUME=/dev/mapper/cswap


and updated my initrd:
Code: Select all
mint mapper # update-initramfs -u
update-initramfs: Generating /boot/initrd.img-2.6.28-11-generic
cryptsetup: WARNING: target cswap uses a key file, skipped


I then tried editing my /etc/crypttab so that it knows my partition has both a keyfile AND a passphrase:
Code: Select all
cswap           /dev/sda7               none,/root/swapkey      luks


Any thoughts?
I was thinking of adding resume=/dev/mapper/cswap to my grub.conf, but I figured that probably wouldn't take...

Thanks!
zje
Level 1
Level 1
 
Posts: 2
Joined: Wed Jul 15, 2009 12:25 am

Linux Mint is funded by ads and donations.
 

Re: luks encrypted swap with key and passphrase

Postby DrHu on Wed Aug 19, 2009 12:12 am

zje wrote:I have my entire / partition encrypted (as per management requirement) and I also want to add an encrypted swap partition.
--swap might never even be used if you have enough RAM (memory) free..
Well, as long as it is a requirement
https://help.ubuntu.com/community/Encry ... stemHowto8

http://en.wikipedia.org/wiki/Comparison ... n_software
http://wiki.archlinux.org/index.php/Sys ... r_dm-crypt
Only the usual notion, that encrypting the whole partition isn't really necessary
--in that the only valuable data is your own /home directory; encrypting that will protect you well enough

There is truecrypt and other methods available to help you manage that..
User avatar
DrHu
Level 16
Level 16
 
Posts: 6292
Joined: Wed Jun 17, 2009 8:20 pm

Re: luks encrypted swap with key and passphrase

Postby zje on Wed Aug 19, 2009 2:01 am

Thanks for the response!

The only thing I use for swap is to hibernate, so for me, encrypting it would seem wise.
I realize that it's unnecessary to encrypt all of /, but it is becoming standard business practice for our company.

I'm just looking for a way to use both the key file and passphrase for my swap in that I am prompted for a passphrase on resume and the keyfile is used at boot (so no passphrase is necessary since / is unlocked)
zje
Level 1
Level 1
 
Posts: 2
Joined: Wed Jul 15, 2009 12:25 am


Return to Installation & Boot

Who is online

Users browsing this forum: Roland and 20 guests