I'm setting up a laptop with encrypted btrfs root.
Problem is, I can't seem to find a way to encrypt the swap so that it
would be usable for hibernation.


* Simple setup for encrypting swap uses a random key generated on each
boot, so resuming doesn't work.
* Using the same key for swap & root is not recommended because some
tool caches the password, making the whole thing meaningless [1]
* Using a swap file doesn't work because btrfs is Copy-On-Write, so the
filesystem may get messed up by hibernate/resume process.


I'm not sure if the "same key" problem exists in Fedora 16, I've tried
setting it up this way and I'm able to boot but not resume.


Any help appreciated!



[1]
https://wiki.archlinux.org/index.php/Talk:System_Encryption_with_LUKS_for_dm-crypt#Suspend_to_disk_instructions_are_insecure

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

On 03.05.2012, Konstantin Svist wrote:

> Problem is, I can't seem to find a way to encrypt the swap so that it would
> be usable for hibernation.

Have you looked at "luksSuspend" and "luksResume"?

> I'm not sure if the "same key" problem exists in Fedora 16, I've tried
> setting it up this way and I'm able to boot but not resume.

Simply, you can't suspend the device which contains the cryptsetup
binary.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

On 05/03/2012 12:04 PM, Heinz Diehl wrote:

On 03.05.2012, Konstantin Svist wrote:


Problem is, I can't seem to find a way to encrypt the swap so that it would
be usable for hibernation.

Have you looked at "luksSuspend" and "luksResume"?


I've only seen them as crytsetup options.. I'll google for those..



I'm not sure if the "same key" problem exists in Fedora 16, I've tried
setting it up this way and I'm able to boot but not resume.

Simply, you can't suspend the device which contains the cryptsetup
binary.


That's silly. Grub loads initramfs from an unencrypted /boot partition;
initramfs knows about encryption and is able to mount root after I enter
my key. There should be no technical reason why it can't mount the swap
with the same key immediately after and tell kernel to resume from the
now-available swap.


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

On 05/03/2012 12:52 PM, Konstantin Svist wrote:

On 05/03/2012 12:04 PM, Heinz Diehl wrote:

On 03.05.2012, Konstantin Svist wrote:

Problem is, I can't seem to find a way to encrypt the swap so that
it would

be usable for hibernation.

Have you looked at "luksSuspend" and "luksResume"?


I've only seen them as crytsetup options.. I'll google for those..



I'm not sure if the "same key" problem exists in Fedora 16, I've tried
setting it up this way and I'm able to boot but not resume.

Simply, you can't suspend the device which contains the cryptsetup
binary.


That's silly. Grub loads initramfs from an unencrypted /boot
partition; initramfs knows about encryption and is able to mount root
after I enter my key. There should be no technical reason why it can't
mount the swap with the same key immediately after and tell kernel to
resume from the now-available swap.




I see now - what you said applies to luksSuspend/luksResume. I'm
guessing it should probably reside on /boot or inside initramfs for that
reason...
From what I can tell, these commands work for an encrypted separate
partition, e.g. /home, probably not so much for the whole disk. And/or
they should generally be called by other tools, abstracted from the user.



--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

On 05/03/2012 01:51 AM, Konstantin Svist wrote:

I'm setting up a laptop with encrypted btrfs root.
Problem is, I can't seem to find a way to encrypt the swap so that it
would be usable for hibernation.


* Simple setup for encrypting swap uses a random key generated on each
boot, so resuming doesn't work.
* Using the same key for swap & root is not recommended because some
tool caches the password, making the whole thing meaningless [1]
* Using a swap file doesn't work because btrfs is Copy-On-Write, so
the filesystem may get messed up by hibernate/resume process.


I'm not sure if the "same key" problem exists in Fedora 16, I've tried
setting it up this way and I'm able to boot but not resume.


Any help appreciated!



[1]
https://wiki.archlinux.org/index.php/Talk:System_Encryption_with_LUKS_for_dm-crypt#Suspend_to_disk_instructions_are_insecure





*bump*
Is there a better place to ask this? Perhaps some development ML?

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Konstantin Svist wrote:
> *bump*
> Is there a better place to ask this? Perhaps some development ML?

I would try here:
http://www.saout.de/mailman/listinfo/dm-crypt
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org