Encrypted swap partition does not show up in /dev/mapper

I followed these steps to convert my normal swap on /dev/sda4 (UUID 5da9c956-e544-47e3-bb8e-fe18d9531b2f) into an encrypted swap partition on 16.04:

  • Disable old swap partition and overwrite it with zeroes:

    sudo swapoff -a
    sudo dd if=/dev/zero of=/dev/sda4 bs=4M
    
  • Install cryptsetup:

    sudo apt install cryptsetup
    
  • Edit /etc/crypttab to contain this:

    # <target name> <source device>                 <key file>  <options>
    cryptswap   UUID=5da9c956-e544-47e3-bb8e-fe18d9531b2f   /dev/urandom    swap
    
  • Edit /etc/fstab to remove the old swap line and replace it with this one:

    # cryptswap on /dev/sda4 configured in /etc/crypttab
    /dev/mapper/cryptswap               none        swap    sw  0   0
    
  • Reload cryptdisks configuration:

    sudo service cryptdisks reload
    sudo service cryptdisks-early reload
    
  • Enable the new encrypted swap:

    sudo swapon -a
    

However, this last step gave me the following error message:

swapon: stat of /dev/mapper/cryptswap failed: No such file or directory

Indeed, the encrypted device file seems not to have been created:

$ ls -la /dev/mapper/
total 0
drwxr-xr-x  2 root root      60 Aug 10 18:50 .
drwxr-xr-x 20 root root    4780 Aug 10 20:16 ..
crw-------  1 root root 10, 236 Aug 10 18:50 control

What went wrong here and how do I get my encrypted swap partition to work?


Solution 1:

You have a problem with your /etc/crypttab file that's causing eveything to go south, and a problem with your swap partition.

First off, you need to mkswap the partition that you want to use for your encrypted swap file. The cryptdisk utility expects your partition to be swap, so you should keep it as such:

sudo mkswap /dev/sda4

Now, note that this will change the partition's UUID. Get the new one with the following command, and make note of it:

sudo blkid /dev/sda4

Now, we need to deal with the larger problem at hand: your /etc/crypttab file. Replace it with the following:

# <target name>  <source device>        <key file>     <options>
cryptswap        UUID=<Your new UUID>   /dev/urandom   swap,offset=1024

Reboot the system, and you should have a working swap!


You have your cryptswap set up currently to recreate the entire partition as an encrypted swap. This is Not Good™, because we need to preserve the UUID. By offsetting the swap by 1024 blocks, we preserve the critical filesystem info, including the UUID.