luks encrypted swap with key and passphrase

Questions about Grub, UEFI,the liveCD and the installer
Forum rules
Before you post please read how to get help
zje
Level 1
Level 1
Posts: 2
Joined: Wed Jul 15, 2009 12:25 am

luks encrypted swap with key and passphrase

Postby zje » Tue Aug 18, 2009 5:54 pm

I have my entire / partition encrypted (as per management requirement) and I also want to add an encrypted swap partition. This is on a laptop (dell E6500).
I would like to have the encrypted swap partition use a keyfile and a passphase, so that swap will automatically be activated at boot via keyfile and need a phrase at resume.

To do so, I created a random key:

Code: Select all

mint mapper # dd if=/dev/urandom of=/root/swapkey count=512



and then enabled that for the device:

Code: Select all

mint ~ # cryptsetup luksFormat /dev/sda7 /root/swapkey


and then added my swap passphrase:

Code: Select all

mint ~ # cryptsetup luksAddKey /dev/sda7 --key-file /root/swapkey --key-slot 1


I then tried opening it with both methods:

Code: Select all

mint mapper # cryptsetup luksOpen --key-file /root/swapkey /
dev/sda7 cswap
key slot 0 unlocked.
Command successful.
mint mapper # cryptsetup luksOpen /dev/sda7 cswap
Enter LUKS passphrase:
key slot 1 unlocked.
Command successful.


I then made the swap partition and enabled it:

Code: Select all

mint mapper # mkswap /dev/mapper/cswap
mint mapper # swapon /dev/mapper/cswap
mint mapper # swapon -s
Filename                                Type            Size   
Used    Priority
/dev/mapper/cswap                       partition       9421564 0       -1


Next, I enabled resume in the initrd:

Code: Select all

RESUME=/dev/mapper/cswap


and updated my initrd:

Code: Select all

mint mapper # update-initramfs -u
update-initramfs: Generating /boot/initrd.img-2.6.28-11-generic
cryptsetup: WARNING: target cswap uses a key file, skipped


I then tried editing my /etc/crypttab so that it knows my partition has both a keyfile AND a passphrase:

Code: Select all

cswap           /dev/sda7               none,/root/swapkey      luks


Any thoughts?
I was thinking of adding resume=/dev/mapper/cswap to my grub.conf, but I figured that probably wouldn't take...

Thanks!

User avatar
DrHu
Level 17
Level 17
Posts: 7563
Joined: Wed Jun 17, 2009 8:20 pm

Re: luks encrypted swap with key and passphrase

Postby DrHu » Wed Aug 19, 2009 12:12 am

zje wrote:I have my entire / partition encrypted (as per management requirement) and I also want to add an encrypted swap partition.
--swap might never even be used if you have enough RAM (memory) free..
Well, as long as it is a requirement
https://help.ubuntu.com/community/Encry ... stemHowto8

http://en.wikipedia.org/wiki/Comparison ... n_software
http://wiki.archlinux.org/index.php/Sys ... r_dm-crypt
Only the usual notion, that encrypting the whole partition isn't really necessary
--in that the only valuable data is your own /home directory; encrypting that will protect you well enough

There is truecrypt and other methods available to help you manage that..

zje
Level 1
Level 1
Posts: 2
Joined: Wed Jul 15, 2009 12:25 am

Re: luks encrypted swap with key and passphrase

Postby zje » Wed Aug 19, 2009 2:01 am

Thanks for the response!

The only thing I use for swap is to hibernate, so for me, encrypting it would seem wise.
I realize that it's unnecessary to encrypt all of /, but it is becoming standard business practice for our company.

I'm just looking for a way to use both the key file and passphrase for my swap in that I am prompted for a passphrase on resume and the keyfile is used at boot (so no passphrase is necessary since / is unlocked)


Return to “Installation & Boot”

Who is online

Users browsing this forum: No registered users and 5 guests