Encryption of swap not working (cryptsetup)

derheimel · 2015-10-11 15:46:38

Hi,

this is my first Arch setup and I'm stuck at encrypting my swap partition..

At startup I get:

 [FAILED] Failed to start Cryptography Setup for swap.
See 'systemctl status systemd-cryptsetup@swap.service' for details.

systemctl status systemd-cryptsetup@swap.service:

 systemd-cryptsetup@swap.service - Cryptography Setup for swap
   Loaded: loaded (/etc/crypttab)
   Active: activating (start) since Sun 2015-10-11 17:12:55 CEST; 3min 6s ago
     Docs: man:crypttab(5)
           man:systemd-cryptsetup-generator(8)
           man:systemd-cryptsetup@.service(8)
 Main PID: 493 (systemd-cryptse)
   CGroup: /system.slice/system-systemd\x2dcryptsetup.slice/systemd-cryptsetup@swap.service
           └─493 /usr/lib/systemd/systemd-cryptsetup attach swap /dev/disk/by-uuid/5ed79bf2-7422-4b34-8516-084dd5b3e3f5 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256

Oct 11 17:12:55 derheimel systemd[1]: Starting Cryptography Setup for swap...
Oct 11 17:12:55 derheimel systemd-cryptsetup[493]: Encountered unknown /etc/crypttab option 'noearly', ignoring.
Oct 11 17:12:55 derheimel systemd-cryptsetup[493]: Set cipher aes, mode cbc-essiv:sha256, key size 256 bits for device /dev/disk/by-uuid/5ed79bf2-7422-4b34-8516-084dd5b3e3f5.
Oct 11 17:12:55 derheimel systemd-cryptsetup[493]: Failed to activate with key file '/dev/urandom': Device or resource busy

crypttab:

swap         UUID=5ed79bf2-7422-4b34-8516-084dd5b3e3f5                                    /dev/urandom            swap,noearly,cipher=aes-cbc-essiv:sha256,size=256

fstab:

# /dev/mapper/swap
/dev/mapper/swap	none		swap		sw			0 0

lsblk:

NAME     MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda        8:0    0   477G  0 disk  
|-sda1     8:1    0   300M  0 part  
|-sda2     8:2    0   100M  0 part  /boot
|-sda3     8:3    0   128M  0 part  
|-sda4     8:4    0 133.3G  0 part  
|-sda5     8:5    0   450M  0 part  
|-sda6     8:6    0   3.8G  0 part  [SWAP]
`-sda7     8:7    0   339G  0 part  
  `-root 254:0    0   339G  0 crypt /

I hope I didn't forget anything, thanks.

frostschutz · 2015-10-11 16:09:51

This kind of encrypted swap partition normally won't have a UUID. (plain encryption mode encrypts even the UUID)

That's why https://wiki.archlinux.org/index.php/Dm … encryption uses /dev/sdxy (dangerous if device names change) or /dev/disk/by-id/HDD-serial-PARTX and not UUID=12345

It's not a particularly good method in general.

Last edited by frostschutz (2015-10-11 16:13:06)

post-factum · 2015-10-11 16:14:17

Why one would like to encrypt swap separately instead of encrypting the whole disk?

SaltySockets · 2015-10-11 17:08:55

post-factum wrote:

Why one would like to encrypt swap separately instead of encrypting the whole disk?

Swap can be dumped when the computer/drive is stolen and that swap will most likely contain the master key for the encrypted root, completely making the rest of the device wide open for those who want to unlock it. So if you encrypt root and want to use swap or even hibernate, you're pretty much forced to encrypt the swap partition as well since it will contain the master key for all encrypted filesystems. No need for LVM.

If you only want to use swap then you don't have to have a static key. You can use /dev/urandom and use a new key every boot, making it theoretically impossible to crack. If you want to use hibernation then you need to use a static key. That key can be stored on the encrypted root filesystem since you need to unlock that when you resume from a hibernation. The boot process is nearly identical and the unlocking of the root partition is done and the swap can thereafter be unlocked using a key stored on the encrypted root drive.

I just completed encrypting my swap for use with hibernation. I followed the wiki and reboot a few times and saw my mistakes. It now works like a charm. If the swap partition is still marked as a swap partition in the partition table then systemd will try to auto-mount it but it will fail because it's a LUKS formatted drive. It has to be flagged with flag 63 which disables auto-mounting and systemd respects this. The swap is then added to the fstab which makes the swap availible in the end anyway. I haven't touched crypttab since that wiki has no references to it. The file /etc/crypttab is not used for root filesystem encryption nor on swap partition that's used for hibernation.

dm-crypt/Swap encryption (I did this just a few minutes ago and the wiki is really helpful)

Don't obtain the UUID before you've formated, mapped and run mkswap. When you've done this and have tested it then you can use blkid to get the correct UUID. Each time you use cryptsetup formatting it ill get a new UUID.

Last edited by SaltySockets (2015-10-11 17:09:50)

post-factum · 2015-10-12 07:29:21

SaltySockets wrote:

Swap can be dumped when the computer/drive is stolen and that swap will most likely contain the master key for the encrypted root, completely making the rest of the device wide open for those who want to unlock it. So if you encrypt root and want to use swap or even hibernate, you're pretty much forced to encrypt the swap partition as well since it will contain the master key for all encrypted filesystems. No need for LVM.

Encrypting the whole disk makes swap encrypted as well. But then you need LVM, of course.

bleach · 2015-10-12 12:24:42

as post-factum says encrypting a single partition and then creating lvm partitions inside that encrypts every thing and you only need to unlock one. you can also create a swap file which is just a good as a partition imo. there is a question if you even need swap wich would depend on your uses and hardware.

uuid is not the same

to identify use this -> https://wiki.archlinux.org/index.php/Dm … encryption

specifically ls -l /dev/disk/*/* | grep sda([X] your swap partition])

its by the id not uuid. also use full path.

Last edited by bleach (2015-10-12 12:45:28)

frostschutz · 2015-11-01 18:01:17

frostschutz wrote:

This kind of encrypted swap partition normally won't have a UUID. (plain encryption mode encrypts even the UUID)

In case this is still relevant, someone else had similar crypt swap issues on IRC today.

I added a sub-section in the Wiki that explains how to use this non-persistent urandom-key swap with UUID and LABEL: https://wiki.archlinux.org/index.php/Dm … _and_LABEL

Arch Linux

#1 2015-10-11 15:46:38

Encryption of swap not working (cryptsetup)

#2 2015-10-11 16:09:51

Re: Encryption of swap not working (cryptsetup)

#3 2015-10-11 16:14:17

Re: Encryption of swap not working (cryptsetup)

#4 2015-10-11 17:08:55

Re: Encryption of swap not working (cryptsetup)

#5 2015-10-12 07:29:21

Re: Encryption of swap not working (cryptsetup)

#6 2015-10-12 12:24:42

Re: Encryption of swap not working (cryptsetup)

#7 2015-11-01 18:01:17

Re: Encryption of swap not working (cryptsetup)

Board footer