[arch-general] Full system encryption with support for hibernation
Cedric Staniewski
cedric at gmx.ca
Sun Oct 25 12:10:34 EDT 2009
Thomas Bächler wrote:
> Karol Babioch schrieb:
>> Hi,
>>
>> I've recently set up full encryption of my system (including swap), but
>> therefore lost the possibility to suspend my device to disk (hibernate).
>>
>> The only way mentioned in the wiki is highly not recommended as you
>> would have to place your key on the unencrypted boot partition, which
>> basically conflicts the idea of full encryption (see
>> http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt#Encrypted_swap_with_suspend-to-disk_support).
>>
>>
>> By looking for some solution, the only thing I could figure out was to
>> set up lvm, and encrypting the whole lvm partition, which would include
>> the swap. This way all of my stuff would get unlocked, including the
>> swap and therefore my system could resume from a former hibernation.
>>
>> Before setting this up (which will cost some time, as I have to back up,
>> configure and restore my stuff) I wanted to ask you, whether this will
>> work as supposed, and if there may be any better solutions?
>>
>> How do you get both hibernation and full encryption working together?
>
> It is possible. Consider the following setup:
>
> You have two partitions, one small (50MB) /boot /dev/sda1, the rest
> /dev/sda2. Now you create a LUKS-Volume in /dev/sda2, let's call this
> volume enc. Inside /dev/mapper/enc create a LVM physical volume. Then,
> create your root, swap, home, ... filesystems as logical volumes inside
> the LVM (let's say they are called /dev/vg/{root,swap,home,...}. That
> way, you just need to enter ONE passphrase to be able to access all your
> volumes, including swap and root.
>
> The installer (AIF) can set all the above up correctly, however, the
> current version will make the wrong grub line. In the described setup,
> it should be:
>
> cryptdevice=/dev/sda2:enc root=/dev/vg/root resume=/dev/vg/swap ro
>
> Your mkinitcpio.conf should have the following line:
>
> HOOKS="base udev pata scsi sata keymap encrypt lvm2 resume filesystems"
> (note that lvm2 is before resume, not after)
>
> This setup will make it possible to use hibernation on an encrypted
> system without a separate key storage and without having to enter more
> than one passphrase. It is also a very elegant setup, as you have the
> usual advantages of LVM.
>
> Have fun!
>
Wow, thanks for this tutorial. Hopefully, I remember this mail when I set up my box again.
More information about the arch-general
mailing list