FS#58098 - [cryptsetup] Swap encryption fails with sd-encrypt

Attached to Project: Arch Linux
Opened by Matthias Lisin (matthias.lisin) - Wednesday, 04 April 2018, 14:19 GMT
Last edited by Christian Hesse (eworm) - Monday, 09 April 2018, 13:03 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Christian Hesse (eworm)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
When using sd-encrypt, swap encryption fails due to missing mkswap binary in initramfs.

If you try to encrypt the swap using the crypttab.initramfs file as suggested by the sd-encrypt hook, then it fails to create the swap because
the mkswap binary is nowhere added to the initramfs.

Proposed solution:
Add following line to the install-sd-encrypt file:

add_binary "/usr/bin/mkswap"


Additional info:
* core/cryptsetup 2.0.2-1


Steps to reproduce:
- configure swap encryption in /etc/crypttab.initramfs file (see example)
- configure swap mount in /etc/fstab (see example)
- open journal, see following entries:
systemd[pidX]: systemd-cryptsetup@cryptswap.service: Failed to execute command: No such file or directory
systemd[pidX]: systemd-cryptsetup@cryptswap.service: Failed at step EXEC spawning /sbin/mkswap: No such file or directory
systemd[1]: Failed to start Cryptography Setup for cryptswap.
systemd[1]: Timed out waiting for device dev-mapper-cryptswap.device


[Example] crypttab.initramfs:
cryptswap /dev/sda2 /dev/urandom swap,cipher=aes-xts-plain64,size=256

[Example] fstab:
/dev/mapper/cryptswap none swap defaults 0 0
This task depends upon

Closed by  Christian Hesse (eworm)
Monday, 09 April 2018, 13:03 GMT
Reason for closing:  Fixed
Additional comments about closing:  in SVN
Comment by Doug Newgard (Scimmia) - Wednesday, 04 April 2018, 14:47 GMT
I don't get it, why would you not already have the swap file/partition created? It doesn't seem to make sense to have to create it in the initramfs.
Comment by Matthias Lisin (matthias.lisin) - Wednesday, 04 April 2018, 16:45 GMT
This is done automatically on everyboot regardless of whether is already was a valid swap.
It's mentioned in the crypttab man-page here (see swap option): https://jlk.fjfi.cvut.cz/arch/manpages/man/crypttab.5
And also on the wiki page https://wiki.archlinux.org/index.php/Dm-crypt/Swap_encryption#Without_suspend-to-disk_support

Correct me if I'm wrong, but it doesn't really make a difference where I create my encrypted swap, right?
And so because I'm using the crypttab.initramfs to mount my encrypted root partition, I decided to do that for the swap as well.

Let me know if this is wrong in some way and the issue is with me.

Loading...