FS#11147 - [mkinitcpio] req: resume from encrypted swap.

Attached to Project: Arch Linux
Opened by Christ Schlacta (aarcane) - Friday, 08 August 2008, 01:53 GMT
Last edited by Tom Gundersen (tomegun) - Thursday, 23 February 2012, 08:14 GMT
Task Type Feature Request
Category Packages: Core
Status Closed
Assigned To Tobias Powalowski (tpowa)
Aaron Griffin (phrakture)
Thomas Bächler (brain0)
Dave Reisner (falconindy)
Tom Gundersen (tomegun)
Architecture All
Severity Medium
Priority Normal
Reported Version None
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:
I would love resume from encrypted swap support. encryption could be accomplished by using an arbitrary key to create a swap partition on boot, then encrypting the key and signing it with gpg or similar and storing only encrypted values in the /boot partition. when resume from encrypted swap, unencrypt the key using the GPG key, and resume. when not resuming from encrypted swap, generate a new random key, and encrypt it with that same gpg key. GPG allows the key to be encrypted with an unencrypted keypair, whereas the decryption key can be stored encrypted, making it a secure process.

Additional info:
* package version(s)
* config and/or log files etc.


Steps to reproduce:
feature request, no reproduction possible.
This task depends upon

Closed by  Tom Gundersen (tomegun)
Thursday, 23 February 2012, 08:14 GMT
Reason for closing:  Won't implement
Additional comments about closing:  post patches to arch-porjects@archlinux.org if you want this feature, or see the last comment for alternative solution.
Comment by Christ Schlacta (aarcane) - Friday, 08 August 2008, 16:25 GMT
wow, I wrote that when I was really tired, and I just read it. it makes enough sense to me, but if you need any clarification, feel free to ask :)
Comment by Aaron Griffin (phrakture) - Friday, 08 August 2008, 21:06 GMT
Thomas... don't you actually do this with the encrypt hook in mkinitcpio?
Comment by nimrak (outerdark) - Tuesday, 02 December 2008, 22:54 GMT
you could check if the swap is a luks partition and just ask for a password. guess there a better ways, but works ok for me without doing to many changes. encrypt hook have to be loaded before and you should have set a password to one of the luksvolume slots ;)
   resume.patch (0.9 KiB)
Comment by Aaron Griffin (phrakture) - Wednesday, 03 December 2008, 22:47 GMT
I think your patch is reversed.
Comment by Christ Schlacta (aarcane) - Wednesday, 03 December 2008, 22:59 GMT
only problem is that I use the random encrypted swap as shown in the arch luks encryption howto. it would require saving the encryption key somewhere and using that key to restore from.
Comment by Gerardo Exequiel Pozzi (djgera) - Monday, 22 June 2009, 06:11 GMT
what is the status of this?
Comment by Thomas Bächler (brain0) - Monday, 22 June 2009, 07:52 GMT
Nothing's going to happen here, for reasons I have explained ... somewhere. I will look it up and copy it here.
Comment by Jason Ish (ish) - Monday, 13 July 2009, 08:11 GMT
I am resuming from encrypted swap using swsusp at this time and would like to see better support for this as well. Note, I'm willing to submit work, but only if there is any chance of it being accepted. For now I am calling luksOpen in the uresume hook.

But first, for proper support I think the encrypt hook needs to also attempt to open swap, and not just root. Not everyone may want tho, so I suppose it best to only do this if it needs to open swap for resume support.

NOTE: I don't use a random password for swap. I use a passphrase. I actually have a passphrase for swap and /home. On Fedora, the first one is cached so you only have to enter it once on non-resume boot, but this is another issue.
Comment by Gerardo Exequiel Pozzi (djgera) - Friday, 12 February 2010, 18:42 GMT
what is the status of this issue with latest mkinitcpio-0.6?
Comment by rob (damnregister) - Monday, 09 August 2010, 09:25 GMT
Where is the problem in this?

I use another hook called openswap, that simply opens the swap partition upon booting. This needs to be done quite early.

# vim: set ft=sh
run_hook ()
{
cryptsetup luksOpen /dev/sda2 cryptswap
}
Comment by Tom Gundersen (tomegun) - Saturday, 18 February 2012, 12:53 GMT
I'd say close this as won't implement, unless someone who wants to use it actually comes up with an implementation and are willing to maintain it (though that could probably be maintained as a standalone hook in the AUR at first).
Comment by Suraj N. Kurapati (sunaku) - Thursday, 23 February 2012, 08:13 GMT
  • Field changed: Percent Complete (100% → 0%)
I just want to comment that there is an alternative solution to this issue: use a plain swap file inside the mounted filesystem of an encrypted partition. See https://wiki.archlinux.org/index.php/System_Encryption_with_LUKS#Using_a_swap_file_for_suspend-to-disk_support for instructions.

Loading...