I'll just write a quick how-to on using encrypted swap while still be able to suspend to disk under linux, in this case ubuntu/debian with encrypted swap via device-mapper.Quick intro first: when linux suspends to disk it will actually write the current state in the active swap. That's why you run in trouble when it's encrypted. I've seen ppl deactiving swap encryption completely to work around that. That's of course not an option, as if you don't encrypt swap you don't need to encrypt anything in the first place.
So you could go ahead and just deactive swap-encryption right before
suspending and thus be able to resume. This would be one option and can easily
be achieved. Still, why bother with encryption at all when
you put the memory unencrypted to disk.
So, swap needs to be encrypted right before suspending, but in a way that will be resumeable. Luckily, that's just what uswsusp supports.
sudo aptitude install uswsuspaccept all default options on prompt
sudo $EDITOR /etc/uswsusp.confand change the following variables:
resume device = /dev/sda2 compress = y early writeout = y RSA key file = /etc/uswsusp.key encrypt = yWhile leaving the other options as they are.
sudo cat /etc/crypttab. You can replace some other things, but these options should be fine.
sudo suspend-keygenYou'll be asked some questions, default options should always be fine.
sudo chmod 400 /etc/uswsusp.key
sudo mv /sbin/s2disk /sbin/s2disk-real sudo cat >/sbin/s2disk DEVMAPDEVICE=cswap SWAPDEVICE=/dev/sda2 swapoff -a cryptsetup remove $DEVMAPDEVICE mkswap $SWAPDEVICE swapon $SWAPDEVICE /sbin/s2disk-real swapoff $SWAPDEVICE cryptsetup -d /dev/urandom -s 256 create $DEVMAPDEVICE $SWAPDEVICE mkswap /dev/mapper/$DEVMAPDEVICE swapon -a ^D sudo chmod 755 /sbin/s2diskyou should replace cswap with the name of your devmapper device and /dev/sda2 with the name of the actual swapping device.
This should do it. When you now suspend to disk the encrypted swap will at first be deactivated and replaced with an unencrypted swap. With in that, uswsusp will create its encrypted image from which you'll be able to reboot. After resume, the unencrypted swap will be deactivated and replaced with an encrypted one. This procedure however, might not be 100% safe since as well on suspending to as on resuming from disk, the temporary created unencrypted swap might actually be used. I don't know enough about uswsusp to confirm that, though. Still it seems an acceptable risk.
Note: In case you are using a bootsplash (default in ubuntu linux), you might not be presented with the password prompt when resuming. Instead, the system will stand still. In this case, you'll have to switch to Password prompt via CTRL-ALT-F1. Then entering the password will render the system usable again, running with encrypted swap (and running encrypted home-dirs, for example).
to suspend (be sure to have read the previous paragraph before suspending..) simply enter:
sudo s2diskThere. Done.