My old SDD kept going into read-only mode, so I've replaced it, and am in the process of installing Mint 20 on it.
Luckily, I kept /home on an entirely separate drive. But, perhaps less luckily, this means that I've had to choose the 'something else' option in the installer.
My old setup had an unencrypted /boot, an encrypted root, an encrypted /home on the separate drive, and an encrypted swap partition. But I'm not sure if it ever actually used the encrypted swap partition. It did ask me for the encryption passphrase whenever I rebooted, but hibernation never worked correctly. It was a Mint 19 system, and I read that Mint 19 uses a swap file if there wasn't a swap partition. I presume this is also the case in Mint 20.
Question: What is the correct way to get an encrypted swap partition working, when installing Mint 20? I've booted off a USB stick and used the Disks utility to create the partitions, unlocked the encrypted ones, and assigned their respective mount points in the installer. But Disks won't unlock the swap partition; it tells me the passphrase is wrong, even though it doesn't actually ask me what the passphrase is. And then the installer says it's going to format the swap partition, saying nothing about encryption, so it looks like it's not going to do what I want.
For now, I'm going to install Mint 20 without the swap partition, because I'd rather it use a swap file than have it potentially copy RAM to disc in the clear. If anybody can tell me how to set up an encrypted swap partition after installation, that would be great. Otherwise, let me know if I did anything wrong during installation.
Thanks!
PARTIALLY SOLVED: How to set up an encrypted swap partition in Mint 20?
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
PARTIALLY SOLVED: How to set up an encrypted swap partition in Mint 20?
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 2 times in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
-
- Level 3
- Posts: 157
- Joined: Wed Oct 02, 2019 11:43 am
Re: How to set up an encrypted swap partition in Mint 20?
Does it have to be a partition?
Read this https://wiki.archlinux.org/title/Dm-cry ... encryption
You don't need the offset and the small file system to hold the partition label if you use a swap file. With a swap file directly under root:
Add the following to your /etc/crypttab
Edit your /etc/fstab
Add this:
Reboot. It takes a while, but your swap file is now being encrypted with AES encryption with a pseudo-random password.
Edit: If the installer created the swap file for you, you will also have to edit or comment out the line of your fstab referring to your swap file. Please note that I only answered the question asked.
Read this https://wiki.archlinux.org/title/Dm-cry ... encryption
You don't need the offset and the small file system to hold the partition label if you use a swap file. With a swap file directly under root:
Add the following to your /etc/crypttab
Code: Select all
#<name> <device> <password> <options>
swap /swapfile /dev/urandom swap,cipher=aes-xts-plain64,size=256
Add this:
Code: Select all
/dev/mapper/swap none swap sw 0 0
Edit: If the installer created the swap file for you, you will also have to edit or comment out the line of your fstab referring to your swap file. Please note that I only answered the question asked.
If you need sudo to edit it, back it up first. If I tell you to edit something with sudo and forgot to tell you to back it up, back it up anyway. sudo cp backup or cat > backup.txt.
-
- Level 20
- Posts: 12341
- Joined: Sun Aug 09, 2015 10:00 am
Re: How to set up an encrypted swap partition in Mint 20?
I can't think why would you want an encrypted swap? I can't see it serving any purpose.
If I have helped you solve a problem, please add [SOLVED] to your first post title, it helps other users looking for help.
Regards,
Deepak
Mint 21.1 Cinnamon 64 bit with AMD A6 / 8GB
Mint 21.1 Cinnamon AMD Ryzen3500U/8gb
Regards,
Deepak
Mint 21.1 Cinnamon 64 bit with AMD A6 / 8GB
Mint 21.1 Cinnamon AMD Ryzen3500U/8gb
Re: How to set up an encrypted swap partition in Mint 20?
It might be a hedge when the system is hibernated, but that's just speculation on my part.deepakdeshp wrote: ⤴Mon Sep 13, 2021 1:56 pm I can't think why would you want an encrypted swap? I can't see it serving any purpose.
-
- Level 20
- Posts: 12341
- Joined: Sun Aug 09, 2015 10:00 am
Re: How to set up an encrypted swap partition in Mint 20?
Completely encryption of data partitions leads very difficult to recover when the time comes. You need to be an expert to do that. Instead think of using veracrypt.
If I have helped you solve a problem, please add [SOLVED] to your first post title, it helps other users looking for help.
Regards,
Deepak
Mint 21.1 Cinnamon 64 bit with AMD A6 / 8GB
Mint 21.1 Cinnamon AMD Ryzen3500U/8gb
Regards,
Deepak
Mint 21.1 Cinnamon 64 bit with AMD A6 / 8GB
Mint 21.1 Cinnamon AMD Ryzen3500U/8gb
-
- Level 3
- Posts: 157
- Joined: Wed Oct 02, 2019 11:43 am
Re: How to set up an encrypted swap partition in Mint 20?
I did it because Veracrypt was the only thing that ever seems to write to swap on my computer. The slow boot time is not a particularly high price to pay to be sure that whatever is written to swap goes away when I turn my computer off. Then again, I am using a hard drive not a solid state drive. So, I don't really have a reason to wonder how much writing to disk my computer does during that time. I think it runs mkswap.deepakdeshp wrote: ⤴Mon Sep 13, 2021 1:56 pm I can't think why would you want an encrypted swap? I can't see it serving any purpose.
If you need sudo to edit it, back it up first. If I tell you to edit something with sudo and forgot to tell you to back it up, back it up anyway. sudo cp backup or cat > backup.txt.
Re: How to set up an encrypted swap partition in Mint 20?
Maybe you know more than me, but I'm pretty sure that, upon hibernation, the contents of RAM gets written to the swap partition. I assume it gets written in the clear, so that if my laptop gets nicked while it's hibernated, it makes the RAM contents vulnerable. That may include keys for repos, active remote DB sessions, etc. It's unlikely that I'm an espionage target, but I've signed contracts with my clients to protect their IP, and this seems a pretty basic step in honouring that agreement.deepakdeshp wrote: ⤴Mon Sep 13, 2021 1:56 pm I can't think why would you want an encrypted swap? I can't see it serving any purpose.
-
- Level 3
- Posts: 157
- Joined: Wed Oct 02, 2019 11:43 am
Re: How to set up an encrypted swap partition in Mint 20?
Did you ever figure this out? It looks like you would need one of the more complex options to support suspend to disk.MikZ wrote: ⤴Sun Sep 19, 2021 4:27 pm
Maybe you know more than me, but I'm pretty sure that, upon hibernation, the contents of RAM gets written to the swap partition. I assume it gets written in the clear, so that if my laptop gets nicked while it's hibernated, it makes the RAM contents vulnerable. That may include keys for repos, active remote DB sessions, etc. It's unlikely that I'm an espionage target, but I've signed contracts with my clients to protect their IP, and this seems a pretty basic step in honouring that agreement.
The very obvious operational security solution is to turn off the computer when you are not actively using it. Especially if it is a laptop that you are walking around carrying.
If you need sudo to edit it, back it up first. If I tell you to edit something with sudo and forgot to tell you to back it up, back it up anyway. sudo cp backup or cat > backup.txt.
Re: How to set up an encrypted swap partition in Mint 20?
Partial Solutionjjp2145-oldtimer wrote: ⤴Tue Sep 21, 2021 11:31 am Did you ever figure this out? It looks like you would need one of the more complex options to support suspend to disk.
I still haven't got hibernation working under Mint 20, but I do have an encrypted swap partition now. I can't exactly remember the details; I might've ended up using GParted.
But once the partition was there, Mint's Disks utility made it pretty easy to get the options right: Click the LUKS partition and Edit Partition Options…, turn off User Session Defaults and tick Unlock at system startup. Then click the swap partition under it, select Edit Mount Options…, turn off User Session Defaults and make sure Mount at system startup is ticked. The Filesystem Type, of course, should be
swap
.Now, when I type
free
at the command line, the free swap space matches the size of the partition, so it seems that's all working correctly.So now I just need to get hibernation working again. I've had hibernation working correctly under earlier versions of Mint, but I think that was before I was using LUKS.
Well, yeah, but even more obviously, that's not a very satisfactory solution. It's a Linux system, not Windows; I only expect to have to boot it two or three times per year. I don't want to have to enter the encryption keys, restart all my applications, and rearrange all my windows, each time I open my laptop. I typically open and close my laptop twice each way along my commute, so that's 20 or 30 minutes each day that I couldn't bill for, if I did that. At the moment, I just sleep/suspend my system, keep it plugged in overnight, and keep my batteries as healthy as I can. But hibernation is nice for when I have to swap out batteries during international flights and the like, or if I get stuck on an old train that doesn't have power in the seats.jjp2145-oldtimer wrote: ⤴Tue Sep 21, 2021 11:31 am The very obvious operational security solution is to turn off the computer when you are not actively using it. Especially if it is a laptop that you are walking around carrying.
Thanks.