You are not logged in.

#1 2015-02-12 17:28:46

blufinney
Member
Registered: 2014-08-26
Posts: 59

[SOLVED] dm-crypt/Swap encryption - Asks for Password on Boot

I'm attempting to setup an encrypted swap partition.  I followed the wiki article "dm-crypt/Swap encryption (Without_suspend-to-disk_support)" and the setup is straightforward and makes sense.  Yet on boot I'm asked for a password and then given some errors about failure to start cryptography setup for swap.  Maybe I've missed a pre-requisite step needed for the steps in "dm-crypt/Swap encryption (Without_suspend-to-disk_support)" wiki article to work properly.

My crypttab has this line added:

swap /dev/disk/by-id/ata-Samsung_SSD_840_EVO_250GB_XXX-part3 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256

My fstab has this line added:

/dev/mapper/swap none swap sw 0 0

Relevant errors during boot that appear after I press enter key (when asked for pasword for some reason):

[FAILED] Failed to start Cryptography Setup for swap.
See "systemctl status systemd-cryptsetup@swap.service" for details
[DEPEND] Dependency failed for /dev/mapper/swap.
[DEPEND] Dependency failed for Swap.
[DEPEND] Dependency failed for Encrypted Volumes.

For what it's worth I wasn't able to "See systemctl status systemd-cryptsetup@swap.service for details" since I was unable to get to the command line.  I have to boot with a bootdisk and manually remove the swap lines from crypttab and fstab to get back into my system.  Once booted without the swap "systemd-cryptsetup@swap.service" doesn't exist (which seems expected/normal).


Any ideas on what I'm missing?  A service that needs to be enabled maybe?


thnx
b1k

Last edited by blufinney (2015-02-12 22:02:34)

Offline

#2 2015-02-12 22:02:18

blufinney
Member
Registered: 2014-08-26
Posts: 59

Re: [SOLVED] dm-crypt/Swap encryption - Asks for Password on Boot

[SOLVED]

There seems to be an issue with partitioning a swap partition as "swap" (wtf?) when using dm-crypt/Swap encryption.  This is odd to me since reportedly systemd processes crypttab before fstab, but maybe it looks at the drives first before looking at either table file and then assumes all swaps are not encrypted and just mounts the standard unencrypted swap essentially reserving the partition so that dm-crypt can't access it - would be nice if systemd didn't do that, maybe not logically possible?  Or, time for a new partition type, encrypted-swap?  Anyway, I digress and notice that now my encrypted swap works as expected but still shows a partition type of "unknown"which feels like a hack.

So the solution:

sudo cryptsetup luksDump /dev/sdaX

Then follow the steps from the "dm-crypt/Swap encryption" wiki.  Aside from long term solutions maybe this could be added to that wiki article?

thanks!
b1k

Offline

#3 2015-02-12 22:32:00

frostschutz
Member
Registered: 2013-11-15
Posts: 1,409

Re: [SOLVED] dm-crypt/Swap encryption - Asks for Password on Boot

In other distros (Debian-derivatives) the crypttab swap line is sometimes ignored when there appears to be valid data on the partition; I thought that might be the case here, but when I tried, it happily formatted encrypted swap over a test ext2 LV.

Offline

#4 2015-02-13 00:05:14

blufinney
Member
Registered: 2014-08-26
Posts: 59

Re: [SOLVED] dm-crypt/Swap encryption - Asks for Password on Boot

me@blufinney.com wrote:

[SOLVED]

There seems to be an issue with partitioning a swap partition as "swap" (wtf?) when using dm-crypt/Swap encryption.  This is odd to me since reportedly systemd processes crypttab before fstab, but maybe it looks at the drives first before looking at either table file and then assumes all swaps are not encrypted and just mounts the standard unencrypted swap essentially reserving the partition so that dm-crypt can't access it - would be nice if systemd didn't do that, maybe not logically possible?  Or, time for a new partition type, encrypted-swap?  Anyway, I digress and notice that now my encrypted swap works as expected but still shows a partition type of "unknown"which feels like a hack.

So the solution:

sudo cryptsetup luksDump /dev/sdaX

Then follow the steps from the "dm-crypt/Swap encryption" wiki.  Aside from long term solutions maybe this could be added to that wiki article?

thanks!
b1k

Had more time to play with this.  The "cryptsetup" command isn't necissary.  While this effectively "fixed" my swap partition that was partitioned as a "swap" partition - all that one needs to do is partition their swap as anything BUT swap.  So maybe a quick blurb mentioning that in the "dm-crypt/Swap encryption" wiki article will save another noob a couple hours.  It is sorta mentioned in the "Swap (Activation by systemd)" wiki article but it's hard to understand what the author was trying to convey (after re-reading I'm still not sure what problem the author is solving exactly).

Offline

#5 2015-02-13 00:20:41

teateawhy
Member
From: GER
Registered: 2012-03-05
Posts: 1,138
Website

Re: [SOLVED] dm-crypt/Swap encryption - Asks for Password on Boot

me@blufinney.com wrote:

Had more time to play with this.  The "cryptsetup" command isn't necissary.  While this effectively "fixed" my swap partition that was partitioned as a "swap" partition - all that one needs to do is partition their swap as anything BUT swap.  So maybe a quick blurb mentioning that in the "dm-crypt/Swap encryption" wiki article will save another noob a couple hours.  It is sorta mentioned in the "Swap (Activation by systemd)" wiki article but it's hard to understand what the author was trying to convey (after re-reading I'm still not sure what problem the author is solving exactly).

I am the author of this part big_smile
I agree that it is hard to understand what the problem is from the article. I am not sure if i can improve the explanation for myself.
I will try to explain it anyway:
The problem is that two mechanisms in systemd try to do the same thing, and the one that comes last fails.
This means you need to disable one of both mechanisms.

Last edited by teateawhy (2015-02-13 00:21:27)

Offline

#6 2015-02-13 03:30:41

blufinney
Member
Registered: 2014-08-26
Posts: 59

Re: [SOLVED] dm-crypt/Swap encryption - Asks for Password on Boot

teateawhy wrote:

I am the author of this part big_smile
I agree that it is hard to understand what the problem is from the article. I am not sure if i can improve the explanation for myself.
I will try to explain it anyway:
The problem is that two mechanisms in systemd try to do the same thing, and the one that comes last fails.
This means you need to disable one of both mechanisms.

I can try to explain what was hard to follow on that section (from a noob/me standpoint).  Here are the questions that came to mind while initially reading the "Activation by systemd" section.

- in regards to swap system/file what runs first, systemd-fstab-generator, systemd-gpt-auto-generator or some other process?
- what reads crypttab? since we're talking swap this seems relevant - not sure if it's beyond the scope of page/section
- mostly helpful would be a conveyance of what scenarios the three bullet points were solving.  Maybe something more explicit about when these three points are relevant?  Systemd had no issue recognizing the "linux-swap" partition and automatically mounting it as a swap file until I completed the steps in dm-crypt/Swap encryption article (adding the needed lines to fstab and crypttab).  I read this section a few times looking for something about it helping an encrypted swap scenario but I kept thinking "nah, why would it matter in my case"

hopefully this helps

Offline

Board footer

Powered by FluxBB