I am confused by the wiki on encrypting swap partition.
If my /etc/crypttab looks like (taken from the wiki, except changed device name):
# <name> <device> <password> <options> # swap /dev/sda6 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
I risk of accidentally overwriting another partition if that one is, for some reason, wrongly labelled as /dev/sda6. So my guess was I should instead use the UUID under <device> for /dev/sda6. But then the wiki says:
Persistent block device naming is implemented with simple symlinks. Using UUID's or filesystem-labels is not possible as plain dm-crypt writes only encrypted data without a persistent header like LUKS.
So my (limited) understanding of this is that I am not allowed, for some reason, to use the UUID of the disk? However, next sentence makes it seem like any of the links under any folder in /dev/disk/by-* would suffice? In the article linked they use /dev/disk/by-uuid: "Using the filesystem UUID for persistent block device naming is considered very reliable.":
If you are not familar with one of the directories under /dev/disk/ read on in the section on Dm-crypt/Device Encryption#Preparation for Persistent block device naming
MY QUESTION Am I to understand that I should NOT use /dev/sda6 under <device> in /etc/crypttab nor the UUID (/dev/disk/by-uuid) for that device, but rather the /dev/disk/by-id/<for sda6>?
you get that right. Setting up the swap like that implies it wipes the partition each time you boot with a new crypto. So, if your bios is buggy and sdb gets swapped with sda on reboot, it may potentially overwrite /dev/sdb6 in your example. Now even if you would setup the crypted swap in the running system you cannot use /dev/disk/by-uuid for it in crypttab just for the same reason: the UUID will change when the swap is re-created/crypted and you end up with no swap next boot. You can easily check it by creating a crypted swap manually.
# cryptsetup --type plain open /dev/sdaXX swap # mkswap /dev/mapper/swap
Execute both twice and you will see it returns with different UUIDS. That's the reason why you have to use the /dev/disk/by-id/<for sda6> link, if you want to make it persistent with that guide.
OK, thanks. Then I had understood the misunderstanding correctly: No UUID, no sda. Use disk-by-id instead.
BTW, I assume I'm safe to use /dev/sdaX for /home. Worst case scenario would be it's not mounted properly, i guess.
Also, this makes me wonder why use UUID when /dev/disk/by-id seems more robust?
Last edited by penguin (2014-04-10 18:43:50)
I did not write more robust. I wrote you cannot use an UUID for the non-persistent crypt swap partition you asked about (because the UUID itself changes). Using the /dev/disk/by-id instead is meant to protect the other (static) partitions/filesystems in case devices gets garbled some reboot (e.g. after you plugged in some other device). Most setups have the swap on the same device (e.g. sda) as the system anyway. In these cases the first thing would be that the box cannot find /boot for starters.
For your persistent mounts (e.g. /home) the UUID stays set. Yet, it is not so critical to use one just for the reason you assume yourself.
I risk of accidentally overwriting another partition
That's why the crypttab script usually refuses to use a partition that has a known filesystem on it. Of course no such check is possible for other plain dmcrypted partitions... as everything just looks like random data.
In theory, you could use the partuuid. But disk by-id should be fine as well.