Swap encryption and hibernating
I run Ubuntu 12.04 on my laptop, with an encrypted home folder + swap partition. Before I had this encrypted setup, I used to have my hibernation enabled. I found this documentation on how to enable hibernation with an encrypted swap.
Now the thing that bothers me by using the solution as given in the documentation, is that apart from having to type my password to login to my user account, I have to type separately a password to mount my swap partition.
A possible solution to this is (is it?) to enable my user account to automatically login (so as to skip the login screen) and view the mounting of the swap partition as an alternative login screen. Note that I am the only user of my laptop.
The only drawback to this method is that after 3 password attempts the system anyway continues booting, though without mounting the swap partition. Leaving my desktop freely available to anybody.
As I would like to use hibernation while having only to type my password once at startup, my question thus is whether it be possible to:
- Or make the password-attempt count infinite
- or alternatively let the system reboot itself after three attempts (starting the cycle over again)
and if this is possible
- whether it would pose a security breach not thought of by me
and if not possible: Whether there would be another creative alternative allowing me and other users to use hibernate in combination with encryption without having to type two pass phrases at boot.
Thank you very much for any help!
Solution 1:
The suggestion:
You could just create 2 partitions on your disk.
- a small partition to hold /boot (unencrypted)
- the rest of the disk, to be used as a physical volume for encryption.
I'd then configure encryption on the second partition and use LVM to created 2 volumes: /dev/vg0/root and /dev/vg0/swap
Advantages:
- You don't have to worry about encrypting individual partitions.
- Apart from /boot which holds your kernel, everything else is encrypted. Which protects you from someone rebooting your machine, entering a single user mode and modifying your OS to allow them to easily get your data from your encrypted home anyway.
- You only enter the encryption key once per boot.
- I know you said you're the only user but you could add separate passphrases (key slots) for other users if you had to.
As to the other part of your question: I don't remember if this method asks repeatedly for the password and I don't think this by itself would be a security risk, as long as there's a delay after an incorrect password is given (to thwart brute-force attacks).
How it's done:
I never use the GUI for installation and apparently you cannot use it to create an LVM on top of LUKS-encrypted block device.
The workaround I've tested:
- Download the netboot ISO image for amd64 or i386 and burn it onto a CD.
- When you boot from it, choose 'Install' from the menu
- Answer a few basic questions, create a non-root user, and choose NOT to encrypt the home directory. This isn't what we want here.
- When you get to the 'Partition disks' dialog, choose 'Manual'.
- Create an empty partition table on the disk if you need to and then 2 primary partitions.
- first primary partition for /boot and make it 512MB. This is where your kernel and initrd images will reside and will remain unencrypted.
- second primary partition to cover the remaining space and choose its type as 'physical volume for encryption'.
- Proceed to
Configure encrypted volumes
, save the changes and encrypt/dev/sda2
, choose a password and finish. At this point you'll have an encrypted volumesda2_crypt
- Choose to use it as a
physical volume for LVM
- Proceed to configure the Logical Volume Manager. Create a volume group
vg0
on/dev/mapper/sda2_crypt
- Create 2 logical volumes within that group.
- swap - however large you need it to be (I chose 1GB)
- root - use the remaining space
- At this stage, you should see the following configuration:
- Choose an FS for your root logical volume and configure it to be mounted as
/
and the swap LV to be used as swap space: - Write changes to disk and proceed with the installation.
- Later on you'll be asked which packages to install (tasksel) and you can safely go with ubuntu-desktop
- When asked where to install Grub to, I chose MBR since I don't have any other OSes on my machine.
And that's really one of the few reasons I always choose the netboot images. I don't want to be held back until the developers port the functionality that works perfectly well in a way that's pretty enough to be included in the GUI installer.