View Full Version : Hibernation with encrypted swap
23rd February 2008, 03:59 AM
Has anyone found a way to hibernate with an encrypted swap partition?
I've tried several approaches, but in each case Fedora 8 reboots rather than thaws after suspending to an encrypted swap partition.
I found an Ubuntu howto claiming to set this up, but it doesn't translate exactly. The idea is to create a luks encrypted swap and get the "thaw" routine to prompt for the passphrase. I tried adding a script to /etc/pm/sleep.d to run
"cryptsetup luksOpen ...", but it seems the unhibernating process doesn't get there before rebooting.
My /home and /tmp directories are encrypted, but / is not.
Thanks for any help, or just advice that this really is hopeless!
PS: Here is a link to that Ubuntu purported howto:
6th March 2008, 05:21 AM
I have my swap and /home partitions Luks encrypted and my /tmp partition encrypted with /dev/random. At boot---maybe once a month---I'm prompted first for the swap password, then for the /home password. Hibernation works as usual (with Fedora 8 in my experience that is absolutely perfectly). Early in the "thaw" process, I'm prompted for the swap partition password.
My admittedly superficial understanding is that whenever you suspend to disk, aka hibernate, without encryption the image is written in such a way that someone expert in nefarious matters can easily extract the passphrases for encrypted partitions, ssh (as maintained by your ssh-agent), mail accounts, and whatever else might have been open when you suspended. Unless it's been overwritten by swapping in the meantime, this information remains in the swap partition when you shut down.
There are several relevant bugs on the redhat bugzilla. What I did, and detail below, uses the improved mkinitrd-6.0.19-5.fc8 referenced in https://bugzilla.redhat.com/show_bug.cgi?id=124789#c118.
Another approach, which I haven't tried, I understand, works with the mkinitrd-6.0.19-4.fc8 that ships with Fedora 8. There is a patch to make this work better in https://bugzilla.redhat.com/show_bug.cgi?id=434656.
My understanding from browsing bugzilla is that Fedora 9 will have a swap encryption feature that prompts for a throw-away password when you go into hibernation, then requires that password to thaw. As Joe EndUser, the setup that I'm describing here seems more convenient. I almost never reboot, but hibernate and suspend to ram all of the time.
Downlaod and install the source rpm mkinitrd-6.0.19-5.fc8.src.rpm from
http://fedorapeople.org/~timn/crypto_root/. I needed the i686 version for my laptop. I believe there is a binary rpm for x86_64 among Tim Niemueller's files at this site.
Make your swap partition Luks encrypted and make the relevant entries in /etc/crypttab and /etc/fstab
Save your current initrd kernel image and create a new one that is aware of your encrypted swap partition.
In more detail:
Set up to build rpms
#yum install rpm-build mock
I needed the following packages to compile and build the rpm. You may need more if you haven't compiled things from source before. If you get errors when you build the rpm later, just look at what's missing and use "yum provides ..." to figure out how to get it.
#yum install e2fsprogs-devel parted-devel libdhcp4client-devel libdhcp6client-devel libdhcp-devel device-mapper-devel python-devel
In your home directory as an ordinary user, configure for building rpms:
$echo '%_topdir %(echo $HOME)/rpmbuild' > .rpmmacros
Download the source rpm
Download mkinitrd-6.0.19-5.fc8.src.rpm from
Then as root run
#rpm -ivh mkinitrd*src.rpm
This puts the source packages in /usr/src/redhat.
As ordinary user, copy the source files into the working direcory:
$cp -a /usr/src/redhat/* rpmbuild
As an ordinary user, cd into your rpmbuild directory and run the followong command. Replace "--target=i686" with your architecture, if it's not what you need. (See "man rpmbuild" for all the details.)
$rpmbuild -ba --target=i686 ~/rpmbuild/SPECS/mkinitrd.spec
If everything goes well, you'll get some warnings but no errors, and several shiney new rpms in ~/rpmbuild/RPMS/i686. To install, become root, cd into that directory and run
#rpm -e mkinitrd-6.0.19-4.fc8
#rpm --force -Uvh mkinitrd-6.0.19-5.fc8.i686.rpm nash-6.0.19-5.fc8.i686.rpm
Though the above process creates other rpms, I've installed just these two on two computers successfully.
Set up encrypted swap
Kill gdm with "cntl-alt-backspace" and go to a text tty with "cntl-alt-F1". Log in as root.
If you accepted the Fedora 8 installation default, your swap partition is /dev/VolGroup00/LogVol01. Check with "cat /proc/swaps" to be sure.
Then turn off swapping:
Create a luks partition:
# cryptsetup --verbose --verify-passphrase luksFormat /dev/VolGroup00/LogVol01
#cryptsetup luksOpen /dev/VolGroup00/LogVol01 swap0
If everything has gone right, it should appear as "/dev/mapper/swap0":
Now format it for swapping:
Add an entry in /etc/crypttab for it. If you haven't encrypted other partitions, you will have to create this file, rather than just add a line to it.
swap0 /dev/VolGroup00/LogVol01 none swap
Comment out the current swap partition entry in /etc/fstab and add the line
/dev/mapper/swap0 swap swap defaults 0 0
Turn your newly encrypted swapping on:
Create a new kernel initrd image
This is the scary part. Just in case something goes wrong, be sure to have an installation or rescue disk handy.
I'm running the 32bit kernel 2.6.23-15.137.fc8 on my laptop. Check "uname -r" for the kernel you are running and use that in place of "2.6.23-15.137.fc8." in these instructions.
Still as root on tty1:
#mv initrd-2.6.23-15.137.fc8.img initrd-2.6.23-15.137.fc8.img.save
#mkinitrd --fstab=/etc/fstab initrd-2.6.23-15.137.fc8.img 2.6.23-15.137.fc8
I've done this on two computers and had no trouble at all, but if rebooting fails, boot using your rescue disk to replace the new initrd image you've just created with the "initrd...img.save" you saved. Beware (or be glad, as the case may be) that when you install a new kernel, it will use your new mkinitrd.
Finally, take a deep breath and
If everything goes well, the first prompt you get for a Luks passphrase is for the swap partition.
2nd June 2008, 04:19 PM
Does this work with Fedora Core 9 now? Did anyone try this method posted above?
In the Fedora Wiki, encrypted hibernate is still marked as "should fix"...
4th June 2008, 11:21 PM
I don't know for a fact, but I think in Fedora 9 all you need to do is the part "Set up the encrypted swap", if you already have F9 installed.
The plan, as I understood it from bugzilla, was to fold something like the revised mkinitrd I used into the F9 script. I'd be surprised if it isn't there.
My guess is that you can set all of this up during installation. I know that in F9 one of the anaconda options in the section where you set up a custom partitioning scheme is to encrypt swap. You can also encrypt / when installing now. And there's something about setting a global passphrase, presumably for opening separate encrypted partitions with the same passphrase without typing it over and over.
I've been struggling to install F9 on an Asus eeepc (4G surf) for the past week. I tried, but there's just not enough room for a swap partition. That's why I don't know for sure.
Incidentally, F9 has a lot more problems, at least right now, than F8 did at the same point in its life.
(1) There is no NetworkManagerDispatcher. It's possible the function is still there but how to use it is undocumented.
(2) There is no gdm-setup utility to customize the login screen.
(3) Firefox 3 beta 5 freezes up every so often and is *really* hard to kill. It's difficult and unsatisfactory to try to go back to Firefox 2. Dependencies break other things.
(4) At least on the eeepc, the 126.96.36.199-18.fc9.i686 kernel hangs on shutdown some time after logging is stopped. I believe I've fixed this by removing all of the snd_* kernel modules just after all processes are halted in the /etc/init.d/halt script. I've read that snd_hda_intel is the culprit.
Good luck with whatever you try!
5th June 2008, 11:16 AM
Thanks for the info!
That seems easy enough. Still, I don't have a spare machine to try all that out and not enough space/power for a virtual installation. So I guess I'll wait till FC 9 is "really ready" and someone has tried it out...
27th June 2008, 10:02 AM
I now have installed FC 9 and I can report it works flawlessly on my Dell Inspiron 8600!
I choose "Full Disk Encryption" during install, it then used a LVM-based setup using my existing Linux partitions. It added my current Windows partition to the boot menu. Everything works fine, even hibernation! Even, waking up after hibernation requires the password BEFORE resuming as it hibernates to an encrypted swap partition within LVM. Perfect!
vBulletin® v3.8.7, Copyright ©2000-2013, vBulletin Solutions, Inc.