[SOLVED] Encrypting the swap partition while /dev/path constantly changes ...

tntrush · #1 10th August 2011, 10:40 AM

Hallo,

I would like to encrypt my swap partition ...

During installation, I tried to select the "encrypt partition" choice, but it needed a passphrase.

After installation, I tried to encrypt my partition ... I followed this article:
http://tredosoft.com/encrypt_home_directory_fedora_9

I just could not ...

The problem is that my swap partition always changes its path ...
When I first booted the system, it was /dev/sda10, next it became /dev/sdc10, now it is /dev/sdb10. This is probably the reason why in fstab all entries are according to UUID.

However, the swap partition is not fond of UUIDs !

I tried to mkswap /dev/<current swap partition> -L Swap, I received a UUID, puted it in /etc/crypttab ... it worked for the first time ... but the second time... did not.

Is there a way to do it? I would appreciate your help!

Kind regards,
tntrush

flyingfsck · #2 10th August 2011, 10:48 AM

Howdy,

You should read the swapon man page. For some odd reason, that is the one with all the swap information.

Cheers,

F

sea · #3 10th August 2011, 10:55 AM

Just as a hint, if it nees a passphrase, its already encrypted.

If you've chosen to encrypt the compelte harddisk, the swap is encrypted as well, as the containing volume is.

tntrush · #4 10th August 2011, 02:05 PM

Thanx for the prompt replies.

The issue is that I want to encrypt only the swap and in the /etc/crypttab file I cannot enter the /dev/path because it constantly changes and I cannot also enter the UUID number because the encrypted swap partition does not have one ...

Code:

cat /etc/crypttab
swap   <how can I specify the drive?>      /dev/urandom    swap

Kind regards,
tntrush

flyingfsck · #5 10th August 2011, 04:24 PM

You can also use the label in /proc/partitions ( cat /proc/partitions).

Read the swapon man page.

E.g. /dev/dm-1

tntrush · #6 10th August 2011, 07:49 PM

Code:

cat /proc/partitions
major minor  #blocks  name

   8        0  244198584 sda
   8        1     120456 sda1
   8        2   67954950 sda2
   8        4          1 sda4
   8        5    9775521 sda5
   8        6   17583111 sda6
   8        7   83080116 sda7
   8        8    5229126 sda8
   8        9    5120000 sda9
   8       10    4096000 sda10
   8       11   20480000 sda11
   8       12   30751744 sda12
   8       32  976762584 sdc
   8       33  471869181 sdc1
   8       34  504890820 sdc2
   8       48  244198584 sdd
   8       49  209720511 sdd1
   8       50   34475490 sdd2
   8       64  488386584 sde
   8       65  209720511 sde1
   8       66  208684350 sde2
   8       67   69979140 sde3
   8       80   58615704 sdf
   8       81   58612736 sdf1

This does not mention anything different than my existing partitions. It happens now and the swap is sda10. It will change after I reboot, for example it was sdb10 last time I booted.

How did you encrypt your swap partition?

Kind regards,
tntrush

tntrush · #7 11th August 2011, 02:19 PM

Quote:

Originally Posted by tntrush

Code:

cat /etc/crypttab
swap   <how can I specify the drive?>      /dev/urandom    swap

Kind regards,
tntrush

Code:

cat /etc/crypttab
swap   /dev/drive/by-id/<drive-id>   /dev/urandom    swap

Kind regards,
tntrush

japafi · #8 12th August 2011, 05:41 AM

[QUOTE=tntrush;1502703]Thanx for the prompt replies.

The issue is that I want to encrypt only the swap and in the /etc/crypttab file I cannot enter the /dev/path because it constantly changes and I cannot also enter the UUID number because the encrypted swap partition does not have one ...

/QUOTE]

Does not have one? Yes it does:

Code:

[bash]:~$>blkid 
/dev/sda1: LABEL="F14-boot" UUID="d76a7974-e5c3-4a31-b66a-731469a1f033" TYPE="ext4" 
/dev/sda2: UUID="c92747eb-6ba1-40af-8ecc-1a7f0e0a8dc6" TYPE="crypto_LUKS" 
/dev/sda3: UUID="f324fd4b-7ba5-4800-8492-6bafab1a8ba6" TYPE="crypto_LUKS" 
/dev/sda5: UUID="ffebfc23-0384-4cdc-95a0-962259f93ee9" TYPE="crypto_LUKS" 
/dev/sda6: UUID="bae21dda-f60f-4b39-8f98-150cbbbd29d8" TYPE="crypto_LUKS" 
/dev/mapper/luks-c92747eb-6ba1-40af-8ecc-1a7f0e0a8dc6: LABEL="F14-Root" UUID="f2c62329-4b7a-49bd-a9fa-4cf2313c2b9b" TYPE="ext4" 
/dev/mapper/encswap: UUID="ccd7555a-98e7-462c-9356-41a59480b35e" TYPE="swap" 
/dev/mapper/sda6: LABEL="home" UUID="b4c7cd52-f330-4a1c-9066-7acb3d490e33" TYPE="ext4"

First bold one is the luks container that has the swap partition (second bold one, encswap)

On /boot/grub/menu.lst I have following options in kernel line:

Code:

rd_LUKS_UUID=f324fd4b-7ba5-4800-8492-6bafab1a8ba6 resume=UUID=ccd7555a-98e7-462c-9356-41a59480b35e

First one gets kernel to open the partition which contains the encrypted swap partition. Resume is the UUID of the swap partition, which will now be visible as ..ba6 has been opened.

tntrush · #9 12th August 2011, 09:27 AM

Quote:

Originally Posted by japafi

On /boot/grub/menu.lst I have following options in kernel line:

Code:

rd_LUKS_UUID=f324fd4b-7ba5-4800-8492-6bafab1a8ba6 resume=UUID=ccd7555a-98e7-462c-9356-41a59480b35e

First one gets kernel to open the partition which contains the encrypted swap partition. Resume is the UUID of the swap partition, which will now be visible as ..ba6 has been opened.

OK ... this should be the trick then ... because in my case (although it works now great) I have:

Code:

blkid

/dev/sdb1: UUID="5e75d18f-8628-4c4f-bbb2-0b1ba154535e" TYPE="ext4" 
/dev/sdb2: LABEL="backup" UUID="67d8fc30-8c71-49f4-a616-19118d1c9ccd" SEC_TYPE="ext2" TYPE="ext3" 
/dev/sdb5: UUID="f76affdf-fa61-4d38-aa36-ad934253815f" TYPE="ext4" 
/dev/sdb6: UUID="431ff39e-dd09-40c0-8102-3771e56bd9a1" TYPE="ext4" 
/dev/sdb7: LABEL="door" UUID="7fbf4f37-eec3-438b-a2a4-8d3a36a3aa22" TYPE="ext3" 
/dev/sdb8: UUID="d3c53b6b-da22-468f-916d-79d151527e77" TYPE="ext4" 
/dev/sdb9: LABEL="_Fedora-15-x86_6" UUID="6fa2c71d-832d-4477-b02e-6e41825d4d6d" TYPE="ext4" 
/dev/sdb11: UUID="e0cb12ff-b074-4312-bbd0-0f173d078f4b" TYPE="ext4" 
/dev/sdb12: UUID="392973f6-0f22-4526-ade7-1365fd454cb1" TYPE="ext4" 
/dev/mapper/swap: UUID="e381d1fd-b283-4529-9dc4-f16cf1837360" TYPE="swap"

... sdb10 is missing ... and when opened with gparted it is identified as "unknown partition".

Kind regards,
tntrush

japafi · #10 12th August 2011, 10:49 AM

Code:

cryptsetup luksUUID /dev/sdb10

to get the partition uuid.
Add that uuid to kernel parameter line: rd_LUKS_UUID=(output from luksUUID)
Perhaps then the container filesystem (ie. swap) will be always visible and you could mount it using UUID visible in blkid

tntrush · #11 12th August 2011, 09:26 PM

Oh, thanx!

However, I get the following message:

Code:

cryptsetup luksUUID /dev/sdb10
Device /dev/sdb10 is not a valid LUKS device.

The swap exists, however, and it is encrypted:

Code:

swapon -s
Filename                                Type            Size    Used    Priority
/dev/mapper/swap                        partition       4095996 0       0

Kind regards,
tntrush

hermandez · #12 13th August 2011, 08:37 AM

The swap partition can hold a lot of unencrypted confidential information and the fact that it persists after shutting down the computer can be a problem.

Encrypting a swap partition however is slightly tricky if one wants to also support suspend-to-disk (also called hibernation). Here's a procedure that worked for me on both Debian Lenny and Ubuntu 7.10 (Gutsy Gibbon):

0- Install the cryptsetup package:

apt-get install cryptsetup

1- Setup the encrypted partition as root:

swapoff -a
cryptsetup -h sha256 -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/hda2
cryptsetup luksOpen /dev/hda2 cswap
mkswap /dev/mapper/cswap

2- Add this line to /etc/crypttab:

cswap /dev/hda2 none swap,luks,timeout=30

3- Set the swap partition to be this in /etc/fstab:

/dev/mapper/cswap none swap sw 0 0

4- Configure uswsusp to use /dev/mapper/cswap and write unencrypted data

dpkg-reconfigure -plow uswsusp

You will of course want to replace /dev/hda2 with the partition that currently holds your unencrypted swap.

tntrush · #13 13th August 2011, 10:05 AM

Quote:

Originally Posted by hermandez

Here's a procedure that worked for me on both Debian Lenny and Ubuntu 7.10 (Gutsy Gibbon):

0- Install the cryptsetup package:

apt-get install cryptsetup

1- Setup the encrypted partition as root:

swapoff -a
cryptsetup -h sha256 -c aes-cbc-essiv:sha256 -s 256 luksFormat /dev/hda2
cryptsetup luksOpen /dev/hda2 cswap
mkswap /dev/mapper/cswap

2- Add this line to /etc/crypttab:

cswap /dev/hda2 none swap,luks,timeout=30

3- Set the swap partition to be this in /etc/fstab:

/dev/mapper/cswap none swap sw 0 0

4- Configure uswsusp to use /dev/mapper/cswap and write unencrypted data

dpkg-reconfigure -plow uswsusp

You will of course want to replace /dev/hda2 with the partition that currently holds your unencrypted swap.

This is great! I performed those steps and I have to say that it works great. Now both cryptsetup luksUUID and blkid commands work as expected.

I have made a few changes though, because it kept asking a password during startup ... According to this howto I added a key to load automatically and unlock the partition.

Code:

dd if=/dev/urandom of=/root/keyfile bs=1024 count=4
chmod 0400 /root/keyfile
cryptsetup luksAddKey /dev/sdX /root/keyfile
And in /etc/crypttab
 cswap /dev/disk/by-id/<disk id> /root/keyfile swap,luks

I have not performed the following command

Code:

dpkg-reconfigure -plow uswsusp

"dpkg" means Debian Package which is irrelevant to rpm. I am not using suspension so it is not of great importance to me, but any ideas would be welcome in order to make it work in fedora too!

Thanx indeed!

Kind regards,
tntrush

japafi · #14 13th August 2011, 04:47 PM

If you have the key on the computer, there is no benefit of encrypting the swap partition. Who even gets hold of the computer can decrypt the swap as the decrypt key is available.

tntrush · #15 13th August 2011, 07:17 PM

Indeed, however if they have root privileges ... who cares about the swap ...?

Kind regards,
tntrush