stop crypttab asking for password for swap

Solution 1:

Had the same question, here is how i did it on ubuntu 12.04.1 and 12.10,

--before starting make sure you have a backup and can also boot your system with ubuntu cd or usb; as if you make a mistake, your system may not boot anymore or you may loss data. i assume you have an encrypted ubuntu system with LUKS, inside LUKS you have 3 partitions, SYSTEM-BOOT (not encrypted), SYSTEM-SWAP (encrypted) and SYSTEM-OS (encrypted)--

u need to adjust UUIDs, SYSTEM-SWAP_crypt, SYSTEM-OS_crypt, SYSTEM-SWAP, SYSTEM-OS to the variation used on your system, pls see reference link below my solution for more info

Get UUIDs:

blkid

Prepare >

swapoff /dev/mapper/SYSTEM-SWAP_crypt
cryptsetup luksClose SYSTEM-SWAP_crypt

Tell cryptsetup to compute the passphrase of the swap partition from the decryption key of the volume holding the root filesystem >

/lib/cryptsetup/scripts/decrypt_derived SYSTEM-OS_crypt | cryptsetup luksFormat /dev/mapper/SYSTEM-SWAP --key-file -
/lib/cryptsetup/scripts/decrypt_derived SYSTEM-OS_crypt | cryptsetup luksOpen /dev/mapper/SYSTEM-SWAP SYSTEM-SWAP_crypt --key-file -
mkswap /dev/mapper/SYSTEM-SWAP_crypt

tell the system about swap partition, edit crypttab>

nano /etc/crypttab

=? make sure two lines match

SYSTEM-OS_crypt UUID=uuid-of-luks-containing-osroot none luks
SYSTEM-SWAP_crypt UUID=uuid-of-luks-containing-swap SYSTEM-OS_crypt luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived

tell the system about swap partition, edit fstab>

nano /etc/fstab

=? make sure u have this line

/dev/mapper/SYSTEM-SWAP_crypt swap swap sw 0 0

tell the system about swap partition, edit resume>

nano /etc/initramfs-tools/conf.d/resume

=? make sure u have this line

RESUME=UUID=uuid-of-encrypted-swap-SYSTEM-SWAP_crypt

update initramfs on boot partition >

update-initramfs -u -k all

Reference

The answer inspired by Setting up an encrypted Debian system (archived link):

If you are using an encrypted Debian system, you likely have some security requirements to meet. If that's the case, you must also use an encrypted swap partition.

The swap partition can be encrypted in two ways:

  • it can be recreated on every boot, using a random passphrase, or
  • it can be created like the other encrypted volumes with a persistent passphrase

If you want to use suspend-to-disk, you cannot use the first approach as it would overwrite your memory footprint stored in the swap partition. Furthermore, you cannot use a key file like the other partitions, since the root filesystem is not (and must not) be mounted by the time the resume process starts and needs to read the decrypted swap partition.

The way I solved this is by telling cryptsetup to compute the passphrase of the swap partition from the decryption key of the volume holding the root filesystem; the cryptsetup package implements this with /lib/cryptsetup/scripts/decrypt_derived. Thus, to set up the swap partition, I do the following, assuming hda2 is the partition holding the encrypted swap and the root filesystem is in hda5_crypt:

swapoff /dev/mapper/hda2_crypt
cryptsetup luksClose hda2_crypt
dd if=/dev/urandom of=/dev/hda2
/lib/cryptsetup/scripts/decrypt_derived hda5_crypt \
  | cryptsetup luksFormat /dev/hda2 --key-file -
/lib/cryptsetup/scripts/decrypt_derived hda5_crypt \
  | cryptsetup luksOpen /dev/hda2 hda2_crypt --key-file -
mkswap /dev/mapper/hda2_crypt

To tell the system about this swap partition, we need to add it to /etc/crypttab and /etc/fstab; make sure, those files contain lines like the following:

/etc/crypttab:
  hda2_crypt /dev/hda2 hda5_crypt luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived

/etc/fstab:
  /dev/mapper/hda2_crypt swap swap sw 0 0

With this in place, as soon as you configure the system for suspend-to-disk, the swap partition will be automatically set up alongside the root filesystem very early during the boot sequence. To figure out which swap partition to make available at that point, cryptsetup checks the following: asfasfafs - a line like RESUME=/dev/mapper/hda2_crypt in /etc/initramfs-tools/conf.d/resume - a resume device setting in /etc/uswsusp.conf (see uswsusp.conf(5)) - an entry in /etc/suspend.conf - a resume=/dev/mapper/hda2_crypt in the kernel command line

You can inspect /usr/share/initramfs-tools/hooks/cryptroot if you want to know more about this.

Solution 2:

This probably indicates that the swap partition is being accessed during the initramfs portion of the boot process. At this point the root file system has not yet been mounted, so any configuration files stored there won't be visible.

While the swap space is mounted after the root file system, there is a reason for the initramfs initialisation process to access the swap space: when you hibernate your computer, the contents of memory and system state is written to swap. In order to resume from hibernation, it is necessary to check if the swap space contains a hibernation image which would require the pass phrase.

If you don't mind losing the ability to resume from hibernation, you can disable this behaviour by editing /etc/initramfs-tools/conf.d/resume and commenting out the line starting with RESUME=. After making the change, run update-initramfs -u to update the initramfs image.