You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2017-10-09 20:07:29
- narr
- Member
- Registered: 2016-04-21
- Posts: 3
swap partition encryption
Hey guys,
sicne i was not able to find the answer in related topics can You help me or point me to the right direction?
I am trying to encrypt my swap partition. After trying different configurations I do not know what else to check. Swap works without encryption.
Part of crypttab:
encSwap /dev/sda3 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
"sudo swapon -s" result:
Filename Type Size Used Priority
/dev/sda3 partition 4194300 0 -1
"sudo systemctl restart cryptsetup.target" result:
Please enter passphrase for disk SanDisk_SDSSDP128G (encSwap)!
A dependency job for cryptsetup.target failed. See 'journalctl -xe' for details.
"sudo journalctl -xe" result
Oct 09 21:46:07 Host systemd[1]: Unnecessary job for dev-mapper-encSwap.device was removed.
-- Subject: Unit dev-mapper-encSwap.device has failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/l … temd-devel
--
-- Unit dev-mapper-encSwap.device has failed.
--
-- The result is collected.
Oct 09 21:46:07 Host systemd[1]: Starting Cryptography Setup for encSwap...
-- Subject: Unit systemd-cryptsetup@encSwap.service has begun start-up
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/l … temd-devel
--
-- Unit systemd-cryptsetup@encSwap.service has begun starting up.
Oct 09 21:46:07 Host systemd-cryptsetup[1985]: Set cipher aes, mode cbc-essiv:sha256, key size 256 bits for device /dev/sda3.
Oct 09 21:46:07 Host systemd-cryptsetup[1985]: Failed to activate with key file '/dev/urandom': Invalid argument
Oct 09 21:46:07 Host systemd[1]: Unnecessary job for dev-mapper-encSwap.device was removed.
-- Subject: Unit dev-mapper-encSwap.device has failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/l … temd-devel
--
-- Unit dev-mapper-encSwap.device has failed.
--
-- The result is collected.
Oct 09 21:46:08 Host systemd-cryptsetup[1985]: Loading of cryptographic parameters failed: Invalid argument
Oct 09 21:46:08 Host systemd-cryptsetup[1985]: Failed to activate: Invalid argument
Oct 09 21:46:08 Host systemd[1]: systemd-cryptsetup@encSwap.service: Main process exited, code=exited, status=1/FAILURE
Oct 09 21:46:08 Host systemd[1]: Failed to start Cryptography Setup for encSwap.
-- Subject: Unit systemd-cryptsetup@encSwap.service has failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/l … temd-devel
--
-- Unit systemd-cryptsetup@encSwap.service has failed.
--
-- The result is failed.
Oct 09 21:46:08 Host systemd[1]: Dependency failed for Encrypted Volumes.
-- Subject: Unit cryptsetup.target has failed
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/l … temd-devel
--
-- Unit cryptsetup.target has failed.
--
-- The result is dependency.
Oct 09 21:46:08 Host systemd[1]: cryptsetup.target: Job cryptsetup.target/start failed with result 'dependency'.
Oct 09 21:46:08 Host systemd[1]: systemd-cryptsetup@encSwap.service: Unit entered failed state.
Oct 09 21:46:08 Host systemd[1]: systemd-cryptsetup@encSwap.service: Failed with result 'exit-code'.
Oct 09 21:46:08 Host sudo[1982]: pam_unix(sudo:session): session closed for user root
Offline
#2 2017-10-10 03:56:00
- mpan
- Member
- Registered: 2012-08-01
- Posts: 1,205
- Website
Re: swap partition encryption
Your /etc/fstab seems to be pointing to “/dev/sda3” instead of “/dev/mapper/encSwap”. IMO this should not cause the errors found in the journal, but let’s start by fixing the configuration so it at least could work.
Have you erased the partition before use? Or at least its begining?
Also consider using /dev/disk/by-id or /dev/disk/by-path: otherwise you may kill your own data by accident.
Last edited by mpan (2017-10-10 04:00:07)
Sometimes I seem a bit harsh — don’t get offended too easily!
Offline
#3 2017-10-10 16:51:58
- narr
- Member
- Registered: 2016-04-21
- Posts: 3
Re: swap partition encryption
Regarding the last part, I will deal with labelling as soon as it starts too work in this simple case.
"fstab" is probably ok:
/dev/mapper/encSwap none swap defaults 0 0
I cannot remember the process of formatting the partition as it has been done a while ago but since "sudo fdisk -l" prints the following I suppose the partition should be ok.
/dev/sda3 208896 8597503 8388608 4G Linux swap
Besides it works without encryption.
Offline
#4 2017-10-16 03:20:39
- mpan
- Member
- Registered: 2012-08-01
- Posts: 1,205
- Website
Re: swap partition encryption
I was not responding, because I was feeling bad.
I have no idea in which step you have set up the things wrong, but here is everything you have to do — step by step. The example assumes that there are two partitions already, one for “/” and one for swap (actually containing a working swap). This is not really important. These two partitions are “/dev/disk/by-id/ata-QEMU_HARDDISK_QM00001-part1” (the root one) and "/dev/disk/by-id/ata-QEMU_HARDDISK_QM00001-part2” (the swap):
[root@archlinux ~]# free
total used free shared buff/cache available
Mem: 2052692 33244 1960832 8488 58616 1910392
Swap: 318460 0 318460
[root@archlinux ~]# cat /etc/fstab
#
# /etc/fstab: static file system information
#
# <file system> <dir> <type> <options> <dump> <pass>
# /dev/sda1
UUID=1950e4b8-88dc-46bf-87ba-69eefec68d1c / ext4 rw,relatime,data=ordered 0 1
UUID=c5cfd51a-c60a-4314-b29f-2ee7a9b90827 none swap defaults 0 0Let’s disable the swap and fill it with pseudrandom data¹:
[root@archlinux ~]# dd if=/dev/urandomm of=/dev/disk/by-id/ata-QEMU_HARDDISK_QM00001-part2Then setup “/etc/fstab” and “/etc/crypttab”:
/etc/fstab:
UUID=1950e4b8-88dc-46bf-87ba-69eefec68d1c / ext4 rw,relatime,data=ordered 0 1
/dev/mapper/encSwap none swap defaults 0 0/etc/crypttab:
encSwap /dev/disk/by-id/ata-QEMU_HARDDISK_QM00001-part2 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256NOTE: be careful to not use wrong names. You will not be noticed about the error — instead you may receive strange error or timeouts upon boot.
See it this way:
You setup an encrypted swap partition on the physical partition which a key drawn from “/dev/urandom”. On each boot it is different and the whole partition is automagically set up for you in this case. The encrypted swap partition is located at “/dev/mapper/encSwap”. This is what "/etc/crypttab” specifies.
You set up a normal swap partition using “/etc/fstab”. As the location on which the swap should be, you specify “/etc/mapper/encSwap”. “/etc/fstab” is unaware that it this location comes from something encrypted: it treats it as any other thing.
Therefore: physicalPartition → automagically encrypted area → that area is unencrypted and presented as “/dev/mapper/encSwap” (as “/etc/crypttab” says) → “/dev/mapper/endSwap” is used for swap (as “/etc/fstab” says).
Done? Reboot. After the reboot everything is fine:
[root@archlinux ~]# free
total used free shared buff/cache available
Mem: 2052692 33004 1965748 8496 53940 1912992
Swap: 318460 0 318460
[root@archlinux ~]# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
fd0 2:0 1 4K 0 disk
sda 8:0 0 1.5G 0 disk
├─sda1 8:1 0 1.2G 0 part /
└─sda2 8:2 0 311M 0 part
└─encSwap 254:0 0 311M 0 crypt [SWAP]
sr0 11:0 1 1024M 0 rom If you wish, you may see the whole process as an asciinema animation² (ptpb, asciinema.org).
“/dev/disk/by-id” contains various links to the disk and locations. Some of them are based on disk serial numbers, which are unique. See the case of you drive to find out its serial number. If you use one of the unique names based on the serial numbers, you should not fear about overwriting a different partition. It is unlikely that there will be no alias using that serial number, but in case you miss one: follow the hints on the wiki.
____
¹ Typically this would be done by setting up an encrypted volume and then filling it with zeros, but in this case it would be the harder way: so let’s fill the area directly before encrypting it.
² Sorry for the minor mistakes — I have pressed a wrong key few times 
.
Sometimes I seem a bit harsh — don’t get offended too easily!
Offline
Pages: 1