[SOLVED] Encrypted swap partition

Hibernate · 2012-02-14 18:16:51

I'm tring to set up an encrypted swap partition, I've consulted the wiki https://wiki.archlinux.org/index.php/Sy … _partition
but I can't get it to work. I want to encrypt the swap partition without suspend-to-disk support.
I've tried many changes to crypttab and fstab, but I've interpreted the wiki and tried addition

/dev/mapper/swap_dev_sda2  swap  swap  defaults  0  0

to fstab and

swap_dev_sda2  /dev/disk/by-id/scsi-...-part2 SWAP -c aes-xts-plain -h whirlpool -s 512

to crypttab.

What should I do to create an encrypted swap partition with, at start up, randomised key without suspend-to-disk support,
if i want to encrypt /dev/sda2, but by ID, (symlinked to by /dev/disk/by-id/scsi-...-part2), and label it swap_dev_sda2?

Last edited by Hibernate (2012-02-14 20:39:19)

/dev/zero · 2012-02-14 18:30:13

What's the actual problem you're having? - "can't get it to work" is not very helpful.

I do notice that in the wiki, there are quotation marks:

The Wiki wrote:

swap /dev/disk/by-id/scsi-SATA_Hitachi_HDS7220_JK1130YAGX0R1T-part7 SWAP "-c aes-xts-plain -h whirlpool -s 512"

not

Hibernate wrote:

swap_dev_sda2  /dev/disk/by-id/scsi-...-part2 SWAP -c aes-xts-plain -h whirlpool -s 512

Strike0 · 2012-02-14 18:43:40

Further to what /dev/zero writes you also have an error in the fstab, which should be

/dev/mapper/swap_dev_sda2  none  swap  defaults  0  0

(man fstab: "The second field" should be none for swap)

edit: cool nickname for suspend-without-to-disk support ;-)

Last edited by Strike0 (2012-02-14 18:47:41)

Hibernate · 2012-02-14 19:06:01

To start the swap I just rebooted (easy 10 second approach) and where just told that it failed.
The second field in fstab was taken from the line for the swap partition created by AIF.
I hade tested with quotes in crypttab, but it was not present in the example in crypttab.

Now I have added the quotes and applied Strikes0's patch to fstab, but it still does not work.

/dev/mapper/swap_dev_sda2 is not created by any test configuration.

Last edited by Hibernate (2012-02-14 19:11:23)

Strike0 · 2012-02-14 19:23:55

What's the output if you do

swapoff -a -v 
swapon -a -v

edit: Or the other way round of course. Plus: I don't know but perhaps the underscores "dev_swap" cant be used for the mapper?

Last edited by Strike0 (2012-02-14 19:27:12)

Hibernate · 2012-02-14 19:27:12

swapoff on /dev/mapper/swap_dev_sda2
swapon: /dev/mapper/swap_dev_sda2: stat failed: No such file or directory

jjacky · 2012-02-14 19:35:41

I assume you're sure you point to the right partition, in crypttab. Does that partition currently contains a filesystem?
Do you get the "creating swapspace" message at boot? If not, it's probably because blkid reported a known filesystem on that partition, in which case nothing happens, to avoid overwriting an existing filesystem.
I think if

blkid -p /dev/disk/by-id/scsi-...-part2

returns something, then that's why nothing happens. It should say nothing and return 2 (i.e. nothing identified) for swap to be created on boot.

Strike0 · 2012-02-14 19:42:09

Something to complement what jjacky writes is here: https://wiki.archlinux.org/index.php/Fstab#Swap_UUID

Plus: Try by eliminating the underscores in the mapper name, i.e. "swapdevsda2"

Hibernate · 2012-02-14 20:18:08

It works!

Line in /etc/fstab:

/dev/mapper/devsda2 none swap defaults 0 0

Line in /etc/crypttab:

devsda2 /dev/disk/by-id/scsi-...-part2 SWAP "-c aes-xts-plain -h whirlpool -s 512"

/dev/disk/by-id/scsi-...-part2 is obtained by running

ls -l /dev/disk/by-id/* | grep /dev/sda2 | cut -d ' ' -f 9

I also wipe information about previous swap (this right you need to remove information about the previous swap when you encrypt it)
by running

dd if=/dev/zero of=/dev/sda2

More than 1 KB needs to be written, but I do not known how much.
I also edited the MBR to make it a filesystemless partition, but that doing that wrong way (manually by editing a byte on /dev/sda)
may damage your paritions so I'm not posting that command.

How do I (that is, without byte hacking the harddrive) wipe i partition (quickly, not feeding by it with zeroes until full) and remove its filesystem type?

Last edited by Hibernate (2012-02-14 20:26:21)

Strike0 · 2012-02-14 20:31:26

Good!
Not sure what you write about manipulating the MBR though ..
Adding a blocksize to dd would certainly speed things. Anyway, please see the wiki for wipe alternatives. Some also just use "shred". Any method should not be a big deal of time for a swap.
edit: Use "swapoff -a" before the wipe.
&corrected typo in url.

Last edited by Strike0 (2012-02-14 21:09:40)

Hibernate · 2012-02-14 20:39:03

Now it is solved without the remaining questing as marked currently.
I didn't known have to wipe filesystem type so have dd:ed one byte from /dev/zero to /dev/sda and seeked to the position where the MBR has the filesystem type
stored have changed it from 0x82 (Linux swap &a) to 0x00 (Empty), which is my case was at byte 466.

Hibernate · 2012-02-14 20:41:38

@Strike0
Add a 'h' to the beginning of the wiki URL, it is missing from https:

Arch Linux

#1 2012-02-14 18:16:51

[SOLVED] Encrypted swap partition

#2 2012-02-14 18:30:13

Re: [SOLVED] Encrypted swap partition

#3 2012-02-14 18:43:40

Re: [SOLVED] Encrypted swap partition

#4 2012-02-14 19:06:01

Re: [SOLVED] Encrypted swap partition

#5 2012-02-14 19:23:55

Re: [SOLVED] Encrypted swap partition

#6 2012-02-14 19:27:12

Re: [SOLVED] Encrypted swap partition

#7 2012-02-14 19:35:41

Re: [SOLVED] Encrypted swap partition

#8 2012-02-14 19:42:09

Re: [SOLVED] Encrypted swap partition

#9 2012-02-14 20:18:08

Re: [SOLVED] Encrypted swap partition

#10 2012-02-14 20:31:26

Re: [SOLVED] Encrypted swap partition

#11 2012-02-14 20:39:03

Re: [SOLVED] Encrypted swap partition

#12 2012-02-14 20:41:38

Re: [SOLVED] Encrypted swap partition

Board footer