ne29914 : You may be right that what I'm attempting to do is overly cautious. But, let me point out that if you do not encrypt your / directory, it's easy for a third party to install whatever software they want directly onto your system, including software that will capture and copy or communicate what is in your home directory. A lot of people these days do encrypt their systems and not a few keep / and /home in separate partitions for obvious reasons.
I was able to successfully get my encrypted, multi-partition system to hibernate using the following, for anyone interested. Note that I did not use lvm for my partitions, so that may alter the needed implementation. Inspiration for what I did comes from:
https://gist.github.com/HacKanCuBa/b...b24b75ee836857
https://unix.stackexchange.com/quest...-disks-at-boot
I had previously used the following source to set up hibernation on my laptop, but the method did not carry over to my desktop (which refused to boot). I suspect the relevant difference was that the laptop had my system in a single root partition while my desktop had / /home /boot all in separate partitions: https://nileshgr.com/2021/01/26/hibe...ot-filesystem/
The following is easiest to implement if you become root (sudo su):
0) Warning: If anything goes wrong, you'll need to unwind everything here. So keep copies of the original versions of any files you change and be prepared to use a USB live drive with a linux system, cryptsetup to open your encrypted root partition, and the chroot command to 'become' the system on your computer so you switch back to the original version of the files and update initramfs. chroot instructions are here: https://forums.bunsenlabs.org/viewtopic.php?pid=55737#p55737
1) Create a swap partition large enough to contain all of your RAM and then some (I think 1.25-1.5x RAM is good, with perhaps lower numbers for larger RAM, I used 1.25 times RAM on a system with 24GB RAM).
#While installing my OS, I set up my system with an unformatted partition large enough for the swap (the system started with no swap partition).
#You may be able to use gparted or similar to put together a large enough unformatted partition for the swap space. Remove any line in /etc/fstab referring to a pre-existing swap file or partition.
2) Edit or create /etc/initramfs-tools/conf.d/resume to contain the line:
Code:
RESUME=/dev/mapper/cryptoswap
3) Add the following line to your /etc/fstab:
Code:
/dev/mapper/cryptoswap swap swap defaults 0 0
4) Set up your swap using the following (my swap partition is on /dev/sda6--find your swap device name using lsblk and use that instead). Give it the same password you use for hard disk decryption (that is, the password you use when starting your system; the one for / )
Code:
cryptsetup luksFormat /dev/sda6
cryptsetup open /dev/sda6 cryptoswap
mkswap /dev/mapper/cryptoswap
Note: I believe the above should work. What I actually did, because I wasted a lot of time with an approach that didn't work, is a bit different than the above. It involved the following (this involves creating a random 512byte key, placing it on / and then using luksAddKey to give the swap partition a human-workable passphrase; but the 512 byte key should not be necessary):
Code:
(DO NOT USE)
dd if=/dev/urandom of=/.swap-key bs=1 count=512
cryptsetup luksFormat -d /.swap-key /dev/nvme0n1p3
cryptsetup luksAddKey -d /.swap-key /dev/nvme0n1p3
cryptsetup open -d /.swap-key /dev/nvme0n1p3 cryptswap
mkswap /dev/mapper/cryptswap
5) Edit your /etc/crypttab so it looks more like the following. Basically, my crypttab already started with entries for root.fsm and 1.home.fsm. However, after the uuid in each entry, I added 'crypt_disks'. Together with the later parameter keyscript=decrypt_keyctl, this tells your system to use one passphrase to open all encrypted partitions labeled with 'crypt_disks'. And, in the last component, I made sure there was a sub-phrase of 'initramfs,keyscript=decrypt_keyctl'. Finally, I used blkid to look up the uuid on my system for cryptoswap (you'll have a different uuid of course--use that) and used it to create the cryptoswap line in the following. Also make sure you have the keyutils package installed on your system--it has the decrypt_keyctl script.
Code:
root.fsm /dev/disk/by-uuid/51ca2671-9d41-10f7-af25-de8abaf3d85d crypt_disks luks,initramfs,keyscript=decrypt_keyctl,discard
1.home.fsm /dev/disk/by-uuid/7a5738a0-e79c-492b-a1cf-637fea8a5ce2 crypt_disks luks,initramfs,keyscript=decrypt_keyctl,discard
cryptoswap /dev/disk/by-uuid/e0e2123a-fd60-48f2-bbac-933f12225c50 crypt_disks luks,initramfs,keyscript=decrypt_keyctl,discard
6) Update initramfs:
Code:
sudo update-initramfs -u
7) Reboot your system.
While this setup has worked so far for me (including hibernating multiple GBs of RAM), I wonder about some of the points made in https://www.kernel.org/doc/html/v5.1...ep-states.html that seem to imply that unless a given system parameter is altered, the full swap partition will not be used for hibernation.
Bookmarks