[arch-general] Full system encryption with support for hibernation
Thomas Bächler
thomas at archlinux.org
Sun Oct 25 12:01:11 EDT 2009
Karol Babioch schrieb:
> Hi,
>
> I've recently set up full encryption of my system (including swap), but
> therefore lost the possibility to suspend my device to disk (hibernate).
>
> The only way mentioned in the wiki is highly not recommended as you
> would have to place your key on the unencrypted boot partition, which
> basically conflicts the idea of full encryption (see
> http://wiki.archlinux.org/index.php/System_Encryption_with_LUKS_for_dm-crypt#Encrypted_swap_with_suspend-to-disk_support).
>
> By looking for some solution, the only thing I could figure out was to
> set up lvm, and encrypting the whole lvm partition, which would include
> the swap. This way all of my stuff would get unlocked, including the
> swap and therefore my system could resume from a former hibernation.
>
> Before setting this up (which will cost some time, as I have to back up,
> configure and restore my stuff) I wanted to ask you, whether this will
> work as supposed, and if there may be any better solutions?
>
> How do you get both hibernation and full encryption working together?
It is possible. Consider the following setup:
You have two partitions, one small (50MB) /boot /dev/sda1, the rest
/dev/sda2. Now you create a LUKS-Volume in /dev/sda2, let's call this
volume enc. Inside /dev/mapper/enc create a LVM physical volume. Then,
create your root, swap, home, ... filesystems as logical volumes inside
the LVM (let's say they are called /dev/vg/{root,swap,home,...}. That
way, you just need to enter ONE passphrase to be able to access all your
volumes, including swap and root.
The installer (AIF) can set all the above up correctly, however, the
current version will make the wrong grub line. In the described setup,
it should be:
cryptdevice=/dev/sda2:enc root=/dev/vg/root resume=/dev/vg/swap ro
Your mkinitcpio.conf should have the following line:
HOOKS="base udev pata scsi sata keymap encrypt lvm2 resume filesystems"
(note that lvm2 is before resume, not after)
This setup will make it possible to use hibernation on an encrypted
system without a separate key storage and without having to enter more
than one passphrase. It is also a very elegant setup, as you have the
usual advantages of LVM.
Have fun!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20091025/8fc55fa3/attachment.bin>
More information about the arch-general
mailing list