Arch Linux

paper_towels_99

Member

Registered: 2024-07-06

Posts: 2

[SOLVED] Luks encryption not activating on hibernate

Hello

I've installed arch with KDE and luks encryption. I have 3 partitions, boot (unencrypted), swap (encrypted), root (encrypted).
I believe i have configured luks correctly, I have to type 2 passwords in on boot, one for the root and one for the swap.

When i hibernate the machine, upon wake i do not have to type in a drive encryption passphrase and instead go straight to the user login which i assume means it's held in memory somewhere thus not secure. I am not doing hybrid sleep, only hibernate.
This happens both through the KDE hibernate menu and when i run systemctl hibernate or systemctl suspend.

Have i set this up wrong or do I need to call cryptsetup luksSuspend at some point in the hibernation process? I am a noob so I'm not sure which file it should go into. Ic an change the swap partition to a swap file in root if that will fix the problem.
I would like the encryption passphrase to be wiped from memory each time the system is hibernated or shut down. Currently this only happens when the machine is shut down.
I am using only a passphrase, not the key files.

I've seen the arch-luks-suspend on AUR but it is rather old so i'm not sure whether to use it: https://aur.archlinux.org/packages/arch … spend-git/

Thanks in advance

Last edited by paper_towels_99 (2024-07-11 17:15:25)

frostschutz

Member

Registered: 2013-11-15

Posts: 1,647

Re: [SOLVED] Luks encryption not activating on hibernate

The issue with luksSuspend is, once you suspend the rootfs, you can possibly no longer run cryptsetup again to make luksResume work (since it is now residing on the suspended partition) and other such issues with services relying on a suspended /.

If you can't luksResume, you're in a deadlock. Hence the idea of creating some in-memory environment (like initramfs) with cryptsetup and all to perform the luksResume for you.

The project you linked seems to follow that idea, and it relies on the 'shutdown' initcpio hook to provide /run/initramfs.

I have not tested whether it works... but it seems to be a good starting point, so, good luck...?

yataro

Member

Registered: 2024-03-09

Posts: 93

Re: [SOLVED] Luks encryption not activating on hibernate

I have no problem with hibernation on my LUKS setup (no extra software used), it requires my LUKS password when resuming. What you get sounds like you are doing "hybrid suspend" (OR there's an issue with setup), see https://wiki.archlinux.org/title/Power_ … _hibernate
System log (after hibernation and resuming) may shed some light on your situation

frostschutz

Member

Registered: 2013-11-15

Posts: 1,647

Re: [SOLVED] Luks encryption not activating on hibernate

Yeah, basically I always mix up those terms... if you're suspending to disk and it does not ask any passphrase on resume, then your swap probably isn't encrypted.

paper_towels_99

Member

Registered: 2024-07-06

Posts: 2

Re: [SOLVED] Luks encryption not activating on hibernate

Hi,

I fixed the problem by removing the kms hook because i didn't do that after i installed the nvidia drivers.... I kinda skipped over that bit in the docs.
Similarly I set the resume parameter in grub to the drive UUID instead of the mapped folder /dev/mapper/cryptoroot which also caused an error.
Essentially this is mostly my fault for not reading the docs. All is working now so I am happy :-)

I originally had problems where the laptop would wake from hibernate immediately and not engage the disk encryption. Turns out after looking at the journalctl logs that the device never actually made it into hibernate.
I guess the good news is I've learned more about linux than i wanted to and learned to follow the docs more closely.

Thank you for your help anyway.

theRedCyclops

Member

Registered: 2022-06-17

Posts: 69

Re: [SOLVED] Luks encryption not activating on hibernate

If you have solved your issue mark the thread as solved by adding [SOLVED] to the start of the title