-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add instructions for suspend/hibernate with an encrypted swap partition and/or file #13
Comments
That might have some useful info. |
Once I find some time, I will update the guides for 21.04 and will show how to enable hibernation. In Pop!_OS it is very easy by simply encrypting the swap partition in your crypttab. I am not sure whether this will also work in Ubuntu and what changes are required in Grub. I will leave this issue open until I update the guides. |
Same problem here: I can't get hibernation to work properly. I've done a ton of research, but can't seem to get the kernelstub or crypttab configuration correct. When I try to hibernate, journalctl reports PM: Image not found (code -22). My encrypted swap partition is working correctly (I've tested it) for everything but hibernation. I guess the hibernation file is never being written? Not sure. Either way, your help getting this working would be very much appreciated. And thank you for the great BTRFS + LUKS + PopOS tutorial! I learned a lot. |
+1 on this, 21.04 guide for luks+btrfs worked great but I can't get the hibernation to work as guides are all over the place online |
Fyi there is also a lengthy discussion on the discourse of Ubuntu Re-visiting hibernate on ubuntu. |
That discussion was pretty unhelpful. I don't know how you got it working with a /dev/urandom encrypted swap. I was able to get it working by making the swap luks partition use a passphrase instead of the random keyfile. But then I had two type two passwords on startup and resume. I could not get resume to work with a static key-file on the encrypted root partition at all. Then I was able to get it to work using a swap-file on the encrypted root partition. No swap partition needed. This is the way to do it as far as I'm concerned. The following three links will help you setup a swapfile on BTRFS, use a swap file instead of a partition, and setup hibernation to that swapfile on Pop OS: |
I spent a lot of time trying to find a solution to this. Hopefully one day I'll get around to making polished instructions in a PR, but here's an info dump for now: TL;DR swap partition encrypted with a /dev/urandom key will not support hibernation. In theory you could make a keyscript to make it work by saving the random key on disk somewhere, but there are literally zero benefits to this approach. Just use your data partition password (or a separate password) to unlock swap directly. For any auto-login users, consider using Method 1: Separate PasswordNote that you will have to enter two passwords on every startup (from shutdown or hibernate).
(or manually add it to the "user" section of
Method 2 (Recommended): Kernel KeyringFeel free to read the top of
(or manually add it to the "user" section of
Source plus sources from method 1 Method 3: Swap as LVM VolumeI have not tried this at all, but it should be possible to create a swap partition inside cryptdata using As an aside, my primary motivation for this was to ensure nothing is left decrypted after a period of extended inactivity. That is, I want the system to always hibernate after sitting in suspend for some time. Creating a symlink |
Thank you for this; this should provide ample information for those who want to try out the different methods. |
The Ubuntu 20.04 btrfs-luks guide states:
For my use case, I need to have a fully encrypted laptop with suspend-to-disk/hibernate support. How can I do this? The section about it in dm-crypt/Swap encryption is not clear to me.
The text was updated successfully, but these errors were encountered: