Re: Full system encryption with support for hibernation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Thomas Bächler wrote:
> Karol Babioch schrieb:
>> Hi,
>>
>> I've recently set up full encryption of my system (including swap), but
>> therefore lost the possibility to suspend my device to disk (hibernate).
>>
>> The only way mentioned in the wiki is highly not recommended as you
>> would have to place your key on the unencrypted boot partition, which
>> basically conflicts the idea of full encryption (see
>> http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt#Encrypted_swap_with_suspend-to-disk_support).
>>
>>
>> By looking for some solution, the only thing I could figure out was to
>> set up lvm, and encrypting the whole lvm partition, which would include
>> the swap. This way all of my stuff would get unlocked, including the
>> swap and therefore my system could resume from a former hibernation.
>>
>> Before setting this up (which will cost some time, as I have to back up,
>> configure and restore my stuff) I wanted to ask you, whether this will
>> work as supposed, and if there may be any better solutions?
>>
>> How do you get both hibernation and full encryption working together?
> 
> It is possible. Consider the following setup:
> 
> You have two partitions, one small (50MB) /boot /dev/sda1, the rest
> /dev/sda2. Now you create a LUKS-Volume in /dev/sda2, let's call this
> volume enc. Inside /dev/mapper/enc create a LVM physical volume. Then,
> create your root, swap, home, ... filesystems as logical volumes inside
> the LVM (let's say they are called /dev/vg/{root,swap,home,...}. That
> way, you just need to enter ONE passphrase to be able to access all your
> volumes, including swap and root.
> 
> The installer (AIF) can set all the above up correctly, however, the
> current version will make the wrong grub line. In the described setup,
> it should be:
> 
> cryptdevice=/dev/sda2:enc root=/dev/vg/root resume=/dev/vg/swap ro
> 
> Your mkinitcpio.conf should have the following line:
> 
> HOOKS="base udev pata scsi sata keymap encrypt lvm2 resume filesystems"
> (note that lvm2 is before resume, not after)
> 
> This setup will make it possible to use hibernation on an encrypted
> system without a separate key storage and without having to enter more
> than one passphrase. It is also a very elegant setup, as you have the
> usual advantages of LVM.
> 
> Have fun!
> 

Wow, thanks for this tutorial. Hopefully, I remember this mail when I set up my box again.


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux