You are not logged in.
Hi,
this is my first Arch setup and I'm stuck at encrypting my swap partition..
At startup I get:
[FAILED] Failed to start Cryptography Setup for swap.
See 'systemctl status systemd-cryptsetup@swap.service' for details.
systemctl status systemd-cryptsetup@swap.service:
systemd-cryptsetup@swap.service - Cryptography Setup for swap
Loaded: loaded (/etc/crypttab)
Active: activating (start) since Sun 2015-10-11 17:12:55 CEST; 3min 6s ago
Docs: man:crypttab(5)
man:systemd-cryptsetup-generator(8)
man:systemd-cryptsetup@.service(8)
Main PID: 493 (systemd-cryptse)
CGroup: /system.slice/system-systemd\x2dcryptsetup.slice/systemd-cryptsetup@swap.service
└─493 /usr/lib/systemd/systemd-cryptsetup attach swap /dev/disk/by-uuid/5ed79bf2-7422-4b34-8516-084dd5b3e3f5 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
Oct 11 17:12:55 derheimel systemd[1]: Starting Cryptography Setup for swap...
Oct 11 17:12:55 derheimel systemd-cryptsetup[493]: Encountered unknown /etc/crypttab option 'noearly', ignoring.
Oct 11 17:12:55 derheimel systemd-cryptsetup[493]: Set cipher aes, mode cbc-essiv:sha256, key size 256 bits for device /dev/disk/by-uuid/5ed79bf2-7422-4b34-8516-084dd5b3e3f5.
Oct 11 17:12:55 derheimel systemd-cryptsetup[493]: Failed to activate with key file '/dev/urandom': Device or resource busy
crypttab:
swap UUID=5ed79bf2-7422-4b34-8516-084dd5b3e3f5 /dev/urandom swap,noearly,cipher=aes-cbc-essiv:sha256,size=256
fstab:
# /dev/mapper/swap
/dev/mapper/swap none swap sw 0 0
lsblk:
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 477G 0 disk
|-sda1 8:1 0 300M 0 part
|-sda2 8:2 0 100M 0 part /boot
|-sda3 8:3 0 128M 0 part
|-sda4 8:4 0 133.3G 0 part
|-sda5 8:5 0 450M 0 part
|-sda6 8:6 0 3.8G 0 part [SWAP]
`-sda7 8:7 0 339G 0 part
`-root 254:0 0 339G 0 crypt /
I hope I didn't forget anything, thanks.
Offline
This kind of encrypted swap partition normally won't have a UUID. (plain encryption mode encrypts even the UUID)
That's why https://wiki.archlinux.org/index.php/Dm … encryption uses /dev/sdxy (dangerous if device names change) or /dev/disk/by-id/HDD-serial-PARTX and not UUID=12345
It's not a particularly good method in general.
Last edited by frostschutz (2015-10-11 16:13:06)
Offline
Why one would like to encrypt swap separately instead of encrypting the whole disk?
uname == latest pf-kernel
Offline
Why one would like to encrypt swap separately instead of encrypting the whole disk?
Swap can be dumped when the computer/drive is stolen and that swap will most likely contain the master key for the encrypted root, completely making the rest of the device wide open for those who want to unlock it. So if you encrypt root and want to use swap or even hibernate, you're pretty much forced to encrypt the swap partition as well since it will contain the master key for all encrypted filesystems. No need for LVM.
If you only want to use swap then you don't have to have a static key. You can use /dev/urandom and use a new key every boot, making it theoretically impossible to crack. If you want to use hibernation then you need to use a static key. That key can be stored on the encrypted root filesystem since you need to unlock that when you resume from a hibernation. The boot process is nearly identical and the unlocking of the root partition is done and the swap can thereafter be unlocked using a key stored on the encrypted root drive.
I just completed encrypting my swap for use with hibernation. I followed the wiki and reboot a few times and saw my mistakes. It now works like a charm. If the swap partition is still marked as a swap partition in the partition table then systemd will try to auto-mount it but it will fail because it's a LUKS formatted drive. It has to be flagged with flag 63 which disables auto-mounting and systemd respects this. The swap is then added to the fstab which makes the swap availible in the end anyway. I haven't touched crypttab since that wiki has no references to it. The file /etc/crypttab is not used for root filesystem encryption nor on swap partition that's used for hibernation.
dm-crypt/Swap encryption (I did this just a few minutes ago and the wiki is really helpful)
Don't obtain the UUID before you've formated, mapped and run mkswap. When you've done this and have tested it then you can use blkid to get the correct UUID. Each time you use cryptsetup formatting it ill get a new UUID.
Last edited by SaltySockets (2015-10-11 17:09:50)
Offline
Swap can be dumped when the computer/drive is stolen and that swap will most likely contain the master key for the encrypted root, completely making the rest of the device wide open for those who want to unlock it. So if you encrypt root and want to use swap or even hibernate, you're pretty much forced to encrypt the swap partition as well since it will contain the master key for all encrypted filesystems. No need for LVM.
Encrypting the whole disk makes swap encrypted as well. But then you need LVM, of course.
uname == latest pf-kernel
Offline
as post-factum says encrypting a single partition and then creating lvm partitions inside that encrypts every thing and you only need to unlock one. you can also create a swap file which is just a good as a partition imo. there is a question if you even need swap wich would depend on your uses and hardware.
uuid is not the same
to identify use this -> https://wiki.archlinux.org/index.php/Dm … encryption
specifically ls -l /dev/disk/*/* | grep sda([X] your swap partition])
its by the id not uuid. also use full path.
Last edited by bleach (2015-10-12 12:45:28)
Offline
This kind of encrypted swap partition normally won't have a UUID. (plain encryption mode encrypts even the UUID)
In case this is still relevant, someone else had similar crypt swap issues on IRC today.
I added a sub-section in the Wiki that explains how to use this non-persistent urandom-key swap with UUID and LABEL: https://wiki.archlinux.org/index.php/Dm … _and_LABEL
Offline