[arch-general] Full system encryption with support for hibernation

[Thomas Bächler]

Thomas Bächler schrieb:
>> How do you get both hibernation and full encryption working together?
> 
> It is possible. Consider the following setup:
> 
> You have two partitions, one small (50MB) /boot /dev/sda1, the rest 
> /dev/sda2. Now you create a LUKS-Volume in /dev/sda2, let's call this 
> volume enc. Inside /dev/mapper/enc create a LVM physical volume. Then, 
> create your root, swap, home, ... filesystems as logical volumes inside 
> the LVM (let's say they are called /dev/vg/{root,swap,home,...}. That 
> way, you just need to enter ONE passphrase to be able to access all your 
> volumes, including swap and root.
> 
> The installer (AIF) can set all the above up correctly, however, the 
> current version will make the wrong grub line. In the described setup, 
> it should be:
> 
> cryptdevice=/dev/sda2:enc root=/dev/vg/root resume=/dev/vg/swap ro
> 
> Your mkinitcpio.conf should have the following line:
> 
> HOOKS="base udev pata scsi sata keymap encrypt lvm2 resume filesystems"
> (note that lvm2 is before resume, not after)
> 
> This setup will make it possible to use hibernation on an encrypted 
> system without a separate key storage and without having to enter more 
> than one passphrase. It is also a very elegant setup, as you have the 
> usual advantages of LVM.
> 
> Have fun!

Forgot to add: This is supported out of the box by Arch without any 
modifications to mkinitcpio hooks (unlike the other suggested setups).

I have it set up right now, but I only hibernate rarely, I like suspend 
to ram better.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20091025/abb03ead/attachment.bin>