PARTIALLY SOLVED: How to set up an encrypted swap partition in Mint 20?

[MikZ]

My old SDD kept going into read-only mode, so I've replaced it, and am in the process of installing Mint 20 on it.

Luckily, I kept /home on an entirely separate drive. But, perhaps less luckily, this means that I've had to choose the 'something else' option in the installer.

My old setup had an unencrypted /boot, an encrypted root, an encrypted /home on the separate drive, and an encrypted swap partition. But I'm not sure if it ever actually used the encrypted swap partition. It did ask me for the encryption passphrase whenever I rebooted, but hibernation never worked correctly. It was a Mint 19 system, and I read that Mint 19 uses a swap file if there wasn't a swap partition. I presume this is also the case in Mint 20.

Question: What is the correct way to get an encrypted swap partition working, when installing Mint 20? I've booted off a USB stick and used the Disks utility to create the partitions, unlocked the encrypted ones, and assigned their respective mount points in the installer. But Disks won't unlock the swap partition; it tells me the passphrase is wrong, even though it doesn't actually ask me what the passphrase is. And then the installer says it's going to format the swap partition, saying nothing about encryption, so it looks like it's not going to do what I want.

For now, I'm going to install Mint 20 without the swap partition, because I'd rather it use a swap file than have it potentially copy RAM to disc in the clear. If anybody can tell me how to set up an encrypted swap partition after installation, that would be great. Otherwise, let me know if I did anything wrong during installation.

Thanks!

[jjp2145-oldtimer]

Does it have to be a partition?
Read this https://wiki.archlinux.org/title/Dm-cry ... encryption

You don't need the offset and the small file system to hold the partition label if you use a swap file. With a swap file directly under root:

Add the following to your /etc/crypttab

Code: Select all

#<name>	<device>	<password>	<options>
swap	/swapfile	/dev/urandom	swap,cipher=aes-xts-plain64,size=256

Edit your /etc/fstab
Add this:

Code: Select all

/dev/mapper/swap	none	swap	sw	0	0

Reboot. It takes a while, but your swap file is now being encrypted with AES encryption with a pseudo-random password.

Edit: If the installer created the swap file for you, you will also have to edit or comment out the line of your fstab referring to your swap file. Please note that I only answered the question asked.

[deepakdeshp]

I can't think why would you want an encrypted swap? I can't see it serving any purpose.

[ajgringo619]

I can't think why would you want an encrypted swap? I can't see it serving any purpose.

It might be a hedge when the system is hibernated, but that's just speculation on my part.

[deepakdeshp]

Completely encryption of data partitions leads very difficult to recover when the time comes. You need to be an expert to do that. Instead think of using veracrypt.

[jjp2145-oldtimer]

I can't think why would you want an encrypted swap? I can't see it serving any purpose.

I did it because Veracrypt was the only thing that ever seems to write to swap on my computer. The slow boot time is not a particularly high price to pay to be sure that whatever is written to swap goes away when I turn my computer off. Then again, I am using a hard drive not a solid state drive. So, I don't really have a reason to wonder how much writing to disk my computer does during that time. I think it runs mkswap.

[MikZ]

I can't think why would you want an encrypted swap? I can't see it serving any purpose.

Maybe you know more than me, but I'm pretty sure that, upon hibernation, the contents of RAM gets written to the swap partition. I assume it gets written in the clear, so that if my laptop gets nicked while it's hibernated, it makes the RAM contents vulnerable. That may include keys for repos, active remote DB sessions, etc. It's unlikely that I'm an espionage target, but I've signed contracts with my clients to protect their IP, and this seems a pretty basic step in honouring that agreement.

[jjp2145-oldtimer]

Maybe you know more than me, but I'm pretty sure that, upon hibernation, the contents of RAM gets written to the swap partition. I assume it gets written in the clear, so that if my laptop gets nicked while it's hibernated, it makes the RAM contents vulnerable. That may include keys for repos, active remote DB sessions, etc. It's unlikely that I'm an espionage target, but I've signed contracts with my clients to protect their IP, and this seems a pretty basic step in honouring that agreement.

Did you ever figure this out? It looks like you would need one of the more complex options to support suspend to disk.

The very obvious operational security solution is to turn off the computer when you are not actively using it. Especially if it is a laptop that you are walking around carrying.

[MikZ]

Did you ever figure this out? It looks like you would need one of the more complex options to support suspend to disk.

Partial Solution

I still haven't got hibernation working under Mint 20, but I do have an encrypted swap partition now. I can't exactly remember the details; I might've ended up using GParted.

But once the partition was there, Mint's Disks utility made it pretty easy to get the options right: Click the LUKS partition and Edit Partition Options…, turn off User Session Defaults and tick Unlock at system startup. Then click the swap partition under it, select Edit Mount Options…, turn off User Session Defaults and make sure Mount at system startup is ticked. The Filesystem Type, of course, should be swap.

Now, when I type free at the command line, the free swap space matches the size of the partition, so it seems that's all working correctly.

So now I just need to get hibernation working again. I've had hibernation working correctly under earlier versions of Mint, but I think that was before I was using LUKS.

The very obvious operational security solution is to turn off the computer when you are not actively using it. Especially if it is a laptop that you are walking around carrying.

Well, yeah, but even more obviously, that's not a very satisfactory solution. It's a Linux system, not Windows; I only expect to have to boot it two or three times per year. I don't want to have to enter the encryption keys, restart all my applications, and rearrange all my windows, each time I open my laptop. I typically open and close my laptop twice each way along my commute, so that's 20 or 30 minutes each day that I couldn't bill for, if I did that. At the moment, I just sleep/suspend my system, keep it plugged in overnight, and keep my batteries as healthy as I can. But hibernation is nice for when I have to swap out batteries during international flights and the like, or if I get stuck on an old train that doesn't have power in the seats.

Thanks.