FS#11147 - [mkinitcpio] req: resume from encrypted swap.
Attached to Project:
Arch Linux
Opened by Christ Schlacta (aarcane) - Friday, 08 August 2008, 01:53 GMT
Last edited by Tom Gundersen (tomegun) - Thursday, 23 February 2012, 08:14 GMT
Opened by Christ Schlacta (aarcane) - Friday, 08 August 2008, 01:53 GMT
Last edited by Tom Gundersen (tomegun) - Thursday, 23 February 2012, 08:14 GMT
|
Details
Description:
I would love resume from encrypted swap support. encryption could be accomplished by using an arbitrary key to create a swap partition on boot, then encrypting the key and signing it with gpg or similar and storing only encrypted values in the /boot partition. when resume from encrypted swap, unencrypt the key using the GPG key, and resume. when not resuming from encrypted swap, generate a new random key, and encrypt it with that same gpg key. GPG allows the key to be encrypted with an unencrypted keypair, whereas the decryption key can be stored encrypted, making it a secure process. Additional info: * package version(s) * config and/or log files etc. Steps to reproduce: feature request, no reproduction possible. |
This task depends upon
Closed by Tom Gundersen (tomegun)
Thursday, 23 February 2012, 08:14 GMT
Reason for closing: Won't implement
Additional comments about closing: post patches to arch-porjects@archlinux.org if you want this feature, or see the last comment for alternative solution.
Thursday, 23 February 2012, 08:14 GMT
Reason for closing: Won't implement
Additional comments about closing: post patches to arch-porjects@archlinux.org if you want this feature, or see the last comment for alternative solution.
But first, for proper support I think the encrypt hook needs to also attempt to open swap, and not just root. Not everyone may want tho, so I suppose it best to only do this if it needs to open swap for resume support.
NOTE: I don't use a random password for swap. I use a passphrase. I actually have a passphrase for swap and /home. On Fedora, the first one is cached so you only have to enter it once on non-resume boot, but this is another issue.
I use another hook called openswap, that simply opens the swap partition upon booting. This needs to be done quite early.
# vim: set ft=sh
run_hook ()
{
cryptsetup luksOpen /dev/sda2 cryptswap
}