Thomas Bächler wrote: > Karol Babioch schrieb: >> Hi, >> >> I've recently set up full encryption of my system (including swap), but >> therefore lost the possibility to suspend my device to disk (hibernate). >> >> The only way mentioned in the wiki is highly not recommended as you >> would have to place your key on the unencrypted boot partition, which >> basically conflicts the idea of full encryption (see >> http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt#Encrypted_swap_with_suspend-to-disk_support). >> >> >> By looking for some solution, the only thing I could figure out was to >> set up lvm, and encrypting the whole lvm partition, which would include >> the swap. This way all of my stuff would get unlocked, including the >> swap and therefore my system could resume from a former hibernation. >> >> Before setting this up (which will cost some time, as I have to back up, >> configure and restore my stuff) I wanted to ask you, whether this will >> work as supposed, and if there may be any better solutions? >> >> How do you get both hibernation and full encryption working together? > > It is possible. Consider the following setup: > > You have two partitions, one small (50MB) /boot /dev/sda1, the rest > /dev/sda2. Now you create a LUKS-Volume in /dev/sda2, let's call this > volume enc. Inside /dev/mapper/enc create a LVM physical volume. Then, > create your root, swap, home, ... filesystems as logical volumes inside > the LVM (let's say they are called /dev/vg/{root,swap,home,...}. That > way, you just need to enter ONE passphrase to be able to access all your > volumes, including swap and root. > > The installer (AIF) can set all the above up correctly, however, the > current version will make the wrong grub line. In the described setup, > it should be: > > cryptdevice=/dev/sda2:enc root=/dev/vg/root resume=/dev/vg/swap ro > > Your mkinitcpio.conf should have the following line: > > HOOKS="base udev pata scsi sata keymap encrypt lvm2 resume filesystems" > (note that lvm2 is before resume, not after) > > This setup will make it possible to use hibernation on an encrypted > system without a separate key storage and without having to enter more > than one passphrase. It is also a very elegant setup, as you have the > usual advantages of LVM. > > Have fun! > Wow, thanks for this tutorial. Hopefully, I remember this mail when I set up my box again.
