-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/27/2014 10:32 PM, Arno Wagner wrote:
> On Sat, Sep 27, 2014 at 21:39:30 CEST, Ross Boylan wrote:
>> What does it mean for encrypted swap + hibernate (power is off
>> but system state is saved to disk)?
>
> If you can wake up without giving encryption keys again, the key is
> somehwere on disk.
Let me just jump in here because this is the way I am using my system:
For hibernating to encrypted swap (more precisely, to resume from an
encrypted swap), you do need to give the encryption key/passphrase
again - to an initrd/initramfs to re-luksOpen the encrypted swap
device before trying to resume from it. (btw this implies you can not
use random keys for swap if you want hibernate/resume, as obviously
there should be no chance to regenerate a random key)
JFTR, the relevant parts of my initramfs' init file look as follows,
with $RESUMEDEV evaluating to /dev/mapper/swap and
open{swap,root,home,var} being shell wrappers for mounting a USB
storage device containing key files, opening a luks-encrypted
partition, unmounting the storage device.
# Open swap crypto device (my own addition)
/sbin/openswap
# Resume state from swap (Slackware mkinitrd)
echo "Trying to resume from $RESUMEDEV"
RESMAJMIN=$(ls -l $RESUMEDEV | tr , : | awk '{ print $5$6 }')
echo $RESMAJMIN > /sys/power/resume
# If resume failed, also open other crypto devices (my own addition)
/sbin/openroot
/sbin/openvar
/sbin/openhome
# Switch to real root partition: (Slackware mkinitrd)
/sbin/udevadm settle --timeout=10
echo 0x0100 > /proc/sys/kernel/real-root-dev
mount -o ro -t $ROOTFS $ROOTDEV /mnt
YMMV,
Heiko
- --
Mein PGP-Key zur Verifizierung: http://pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlQonfUACgkQ/Vb5NagElAW9JwCgqELCNnS1gyAbfD683g1AssJF
6qwAn1PuJxtX+BBLRfkAlrahnsJtn7oe
=sqoT
-----END PGP SIGNATURE-----
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
