Encrypted home partition + encrypted swap + working hibernate

hibernate encryption trim swap 13.10

Solution 1:

I managed to set up an encrypted home and encrypted swap with working hibernate.

I use uswsusp and largely followed this article - still works for Ubuntu 13.10.

  • On boot, I get two password prompts (one for home and one for swap) under the Ubuntu logo.
  • With apt-get install uswsusp, Ubuntu automatically switched pm-hibernate to use uswsusp, so all GUI tools use it as well.
  • On resume from hibernate, I get one password prompt as expected.

Some parts of my setup:

Creating the encrypted partitions

# For /home
sudo cryptsetup --cipher aes-xts-plain --key-size 256 --hash sha512 --use-random --verify-passphrase luksFormat /dev/sdb2
# For swap
sudo cryptsetup --cipher aes-xts-plain --key-size 256 --hash sha512 --use-random --verify-passphrase luksFormat /dev/sdb3

  • I use aes-xts-plain because it is the fastest in cryptsetup benchmark (only works with cryptsetup >= 1.6). Many guides uses aes-cbc-essiv, but from what I've read so far, xts protects against watermarking just as well as cbc-essiv. If you use partitions >= 2TB, you should use aes-xts-plain64 instead of -plain. More info about these options and choices can be found here.

  • After creating these partitions, you of course have to create the according filesystems on them, e.g. with mkswap /dev/mapper/cryptoposwap and mkfs.ext4 /dev/mapper/cryptohome.

/etc/crypttab

cryptohome   /dev/disk/by-uuid/8cef7fd1-cceb-4a4a-9902-cb9a5805643c   none   luks,discard
cryptoswap   /dev/disk/by-uuid/a99c196d-55df-460f-a162-00c4ea6d46e6   none   luks,discard

/etc/fstab

UUID=a4a2187d-a2d2-4a4c-9746-be511c151296  /       ext4   errors=remount-ro  0  1
/dev/mapper/cryptoswap                     none    swap   sw,discard         0  0
/dev/mapper/cryptohome                     /home   ext4   discard            0  2
  • I use the discard option in boths crypttab and fstab to enable TRIM for the SSD I'm using.
  • I had to adjust /etc/initramfs-tools/conf.d/resume away from the old swap UUID to the new /dev/mapper/cryptoswap to get rid of a warning at update-initramfs -u -k all.

This is still very similar to EnableHibernateWithEncryptedSwap, but it looks like I didn't have to edit /usr/share/initramfs-tools/scripts/local-top/cryptroot, /etc/acpi/hibernate.sh (if you have a hint why it was needed, please leave a comment - maybe the difference is that this setup uses uswsusp?).

Related

How to maintain a file's 'last modified' date?
Can't boot Ubuntu 17.10: [Firmware Bug]: ACPI region does not cover the entire command/response buffer
Passing multiple commands to gnome-terminal from a script
How to enable File Manager to handle desktop after removing GNOME 3?
Why does removing a "metapackage" not remove the dependencies which it installed?
Installing Japanese language support from command-line
Inconsistent booting problem 12.04LTS on Asus U46E RAL7
Transmission shutdown script for multiple torrents?
Email icons missing from the Panel after upgrading to Ubuntu 14.04
Entire system freezing after pressing "Suspend" [closed]
Microsoft Arc Touch Mouse doesn't working on Ubuntu 14.04
Schemas missing - Unity Tweak Tool