30

When I installed Ubuntu, I setup an encrypted home partition. Now I have come to an issue where I am running out of memory because I haven't setup swap. How can I setup an encrypted swap file?

A couple of times while booting I've seen some reference to cryptswap. I've also got these lines contained in /etc/fstab

# swap was on /dev/sda6 during installation
#UUID=1ba8a53b-1842-4de7-8e38-2d6c79f3a1ab none            swap    sw              0       0
/dev/mapper/cryptswap1 none swap sw 0 0
liamzebedee
  • 965
  • In newer ubuntu-versions (tested 14.10). You have to run /etc/init.d/cryptdisks-early reload @Adam Ryczkowski could you post your startup script? – Jan B Jan 23 '15 at 13:02

2 Answers2

30

Thanks to this guide I set up an encrypted swap file (can't be used for hibernation). On Debian based distributions, you will need the cryptsetup package for these instructions.

  1. Firstly create an appropriately sized file (here 4 gigabytes) to store the swap data:

    fallocate -l 4G /cryptswap

  2. Add the following to /etc/crypttab:

    cryptswap /cryptswap /dev/urandom swap

  3. Activate the newly created encrypted drive:

    service cryptdisks reload

  4. Add the following to /etc/fstab:

    /dev/mapper/cryptswap none swap sw 0 0

  5. Activate the new swap file:

    swapon -a
Community
  • 1
liamzebedee
  • 965
  • 2
    This encrypted swap is the only secure option for hibernation. With a little change to /etc/crypttab and a startup script (to ask user for mount password) – Adam Ryczkowski Feb 05 '14 at 15:23
  • @AdamRyczkowski if you're around, another user was asking for that startup script, if you made one. See comment on the question. – muru Jan 23 '15 at 21:20
  • @muru On Ubuntu 14.04 there is no need for such script. If I recall correctly, the early booting scripts parse the /etc/crypttab for a line like cryptswap /dev/sda5 none luks and asks the user for a password autmatically – Adam Ryczkowski Jan 24 '15 at 10:39
  • 4
    Instead of truncate use fallocate to allocate inode to file; the mkswap step is useless as it is overwritten later when encrypted swap is setup. – solsTiCe May 28 '15 at 09:49
  • @adam-ryczkowski, you say „only secure option for hibernation“, liamzebedee says „can't be used for hibernation“. Which one of you is right, resp. what further steps would it take to make it fit for hibernation? – Frank N Jul 11 '16 at 13:28
  • @FrankN. Hibernation data live in swap, so it must be decrypted during early stage of boot. Decryption will work, if the swap is encrypted with a constant password. Then, during bootup phase, computer will ask for a password to decrypt swap - regardless whether there is a hibernation state on the swap or not. What liamzebedee showed does not use constant password, so will not work with hibernation (you will hibernate and power off, but will not be able to put correct password to read the hibernation state on waking up) – Adam Ryczkowski Jul 26 '16 at 13:57
  • 3
    Nice summary. However, anyone wanting to read more will find that your link "this guide" is dead. – underscore_d Jul 28 '16 at 20:06
  • 2
    Just a note: I had to reboot the system before the /dev/mapper/cryptswap volume appeared. – HRJ Dec 01 '16 at 06:30
  • I followed the instructions exactly, apart from giving 8G argument to fallocate: fallocate -l 8G /cryptswap. However, the final encrypted swap memory created according to both swapon -s and free -h seems to be 4G still. What am I doing wrong? – datka Mar 23 '18 at 13:16
6

Skip the reboot:

sudo cryptdisks_start cryptswap

where cryptswap is the name in /etc/crypttab

anonymous2
  • 4,298
Friendly Marmot
  • 71
  • 2
    I don't understand how that addresses the question. Could you please explain? As far as I understand it, OP wants to know how to set up (encrypted) swap space properly. Your answer just describes how to start a previously defined encrypted volume but not how to use it for swapping. -1 – David Foerster Mar 06 '17 at 22:10
  • rise, o ancient thread. Friendly is trying to address what HRJ mentioned as a comment added to the OP. Namely, "I had to reboot the system before /dev/mapper/cryptswap volume appeared." This handy cryptdisks_start swap0 (in my case) saved me from having to reboot. noice. – fbicknel Sep 28 '21 at 20:58