Wed Jan 9 02:39:42 CET 2008

encrypted swap and suspend to disk

I'll just write a quick how-to on using encrypted swap while still be able to suspend to disk under linux, in this case ubuntu/debian with encrypted swap via device-mapper.

Quick intro first: when linux suspends to disk it will actually write the current state in the active swap. That's why you run in trouble when it's encrypted. I've seen ppl deactiving swap encryption completely to work around that. That's of course not an option, as if you don't encrypt swap you don't need to encrypt anything in the first place.

So you could go ahead and just deactive swap-encryption right before suspending and thus be able to resume. This would be one option and can easily be achieved. Still, why bother with encryption at all when you put the memory unencrypted to disk.
So, swap needs to be encrypted right before suspending, but in a way that will be resumeable. Luckily, that's just what uswsusp supports.

  1. install uswsusp
    sudo aptitude install uswsusp
    accept all default options on prompt
  2. edit /etc/uswsusp.conf
    sudo $EDITOR /etc/uswsusp.conf and change the following variables:
    resume device = /dev/sda2
    compress = y
    early writeout = y
    RSA key file = /etc/uswsusp.key
    encrypt = y
    While leaving the other options as they are.
    Where in this case you'll need to replace /dev/sda2 with your actual swap device (you might for example find it by loogin at device-mapper config: sudo cat /etc/crypttab. You can replace some other things, but these options should be fine.
  3. create uswsusp keyfile
    You'll need a keyfile for the encryption to work. this sould be saved in /etc/uswsusp.key (see above). when creating that, you should definately set a password which you'll have to enter on each resume from disk:
    sudo suspend-keygen
    You'll be asked some questions, default options should always be fine.
  4. ensure correct read permissions
    (I don't remember if the script sets them already, just to be sure)
    sudo chmod 400 /etc/uswsusp.key
  5. create wrapper script for s2disk
    Now the final and a bit more custom part: we'll place a wrapper to s2disk to disable swap right before suspending and enabling it with encryption after resume.
    This should work with all swap-encryption mechanisms around, in this case I used device-mapper:
    sudo mv /sbin/s2disk /sbin/s2disk-real
    sudo cat >/sbin/s2disk
    swapoff -a
    cryptsetup remove $DEVMAPDEVICE
    mkswap $SWAPDEVICE
    swapon $SWAPDEVICE
    swapoff $SWAPDEVICE
    cryptsetup -d /dev/urandom -s 256 create $DEVMAPDEVICE $SWAPDEVICE
    mkswap /dev/mapper/$DEVMAPDEVICE
    swapon -a
    sudo chmod 755 /sbin/s2disk
    you should replace cswap with the name of your devmapper device and /dev/sda2 with the name of the actual swapping device.

This should do it. When you now suspend to disk the encrypted swap will at first be deactivated and replaced with an unencrypted swap. With in that, uswsusp will create its encrypted image from which you'll be able to reboot. After resume, the unencrypted swap will be deactivated and replaced with an encrypted one. This procedure however, might not be 100% safe since as well on suspending to as on resuming from disk, the temporary created unencrypted swap might actually be used. I don't know enough about uswsusp to confirm that, though. Still it seems an acceptable risk.

Note: In case you are using a bootsplash (default in ubuntu linux), you might not be presented with the password prompt when resuming. Instead, the system will stand still. In this case, you'll have to switch to Password prompt via CTRL-ALT-F1. Then entering the password will render the system usable again, running with encrypted swap (and running encrypted home-dirs, for example).

to suspend (be sure to have read the previous paragraph before suspending..) simply enter:

sudo s2disk
There. Done.

Posted by iso | Permanent Link | Tags: ubuntu, linux | comments >>