stop crypttab asking for password for swap

Question

I instaled a fresh 11.04 system when it was released and set up full disk encryption with LUKS. At first it asked me for a password for my three encrypted partitions:

/
/home
swap

Typing in the passphrase three times got frustrating, so I tried to set up /home and swap to decrypt from a keyfile stored on /. I created the keyfile and enabled it on the two partitions. My crypttab now looks like this:

root-root_crypt UUID=13c21bf6-4d92-42a7-877a-87cc31b1aa19 none luks
home-home_crypt UUID=ba90ce5b-9df7-4764-8a72-011bbb164db4 /root/keyfile luks
home-home_crypt UUID=ba90ce5b-9df7-4764-8a72-011bbb164db4 none luks
sda3_crypt UUID=e4677895-2114-4054-9f23-d36f6bb0e6a2 /root/keyfile luks,swap

This works fine for /home, which gets mounted automatically without asking for a password. But cryptsetup still asks for a password for the swap space. I've even tried adding noauto to the swap space so it wouldn't be set up at all -- once the system is booted I can enable it without the passphrase, so I thought I'd just add a late init script to do it, but even with noauto cryptsetup still asks for the passphrase.

Thanks!

For this reason, it's recommended to use LVM + LUKS in case of multiple partitions. Crypsetup can be used above or below the LVM layer (above -> filesystem, below -> disk). Using cryptsetup below LVM has the advantage that you need only one encrypted partition (the LVM one). — Lekensteyn, May 18 '11 at 09:11

score 10 · Answer 1 · edited Oct 22 '18 at 11:09

Had the same question, here is how i did it on ubuntu 12.04.1 and 12.10,

--before starting make sure you have a backup and can also boot your system with ubuntu cd or usb; as if you make a mistake, your system may not boot anymore or you may loss data. i assume you have an encrypted ubuntu system with LUKS, inside LUKS you have 3 partitions, SYSTEM-BOOT (not encrypted), SYSTEM-SWAP (encrypted) and SYSTEM-OS (encrypted)--

u need to adjust UUIDs, SYSTEM-SWAP_crypt, SYSTEM-OS_crypt, SYSTEM-SWAP, SYSTEM-OS to the variation used on your system, pls see reference link below my solution for more info

Get UUIDs:

blkid

Prepare >

swapoff /dev/mapper/SYSTEM-SWAP_crypt
cryptsetup luksClose SYSTEM-SWAP_crypt

Tell cryptsetup to compute the passphrase of the swap partition from the decryption key of the volume holding the root filesystem >

/lib/cryptsetup/scripts/decrypt_derived SYSTEM-OS_crypt | cryptsetup luksFormat /dev/mapper/SYSTEM-SWAP --key-file -
/lib/cryptsetup/scripts/decrypt_derived SYSTEM-OS_crypt | cryptsetup luksOpen /dev/mapper/SYSTEM-SWAP SYSTEM-SWAP_crypt --key-file -
mkswap /dev/mapper/SYSTEM-SWAP_crypt

tell the system about swap partition, edit crypttab>

nano /etc/crypttab

=? make sure two lines match

SYSTEM-OS_crypt UUID=uuid-of-luks-containing-osroot none luks
SYSTEM-SWAP_crypt UUID=uuid-of-luks-containing-swap SYSTEM-OS_crypt luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived

tell the system about swap partition, edit fstab>

nano /etc/fstab

=? make sure u have this line

/dev/mapper/SYSTEM-SWAP_crypt swap swap sw 0 0

tell the system about swap partition, edit resume>

nano /etc/initramfs-tools/conf.d/resume

=? make sure u have this line

RESUME=UUID=uuid-of-encrypted-swap-SYSTEM-SWAP_crypt

update initramfs on boot partition >

update-initramfs -u -k all

Reference

The answer inspired by Setting up an encrypted Debian system (archived link):

If you are using an encrypted Debian system, you likely have some security requirements to meet. If that's the case, you must also use an encrypted swap partition.

The swap partition can be encrypted in two ways:

it can be recreated on every boot, using a random passphrase, or

it can be created like the other encrypted volumes with a persistent passphrase

If you want to use suspend-to-disk, you cannot use the first approach as it would overwrite your memory footprint stored in the swap partition. Furthermore, you cannot use a key file like the other partitions, since the root filesystem is not (and must not) be mounted by the time the resume process starts and needs to read the decrypted swap partition.

The way I solved this is by telling cryptsetup to compute the passphrase of the swap partition from the decryption key of the volume holding the root filesystem; the cryptsetup package implements this with /lib/cryptsetup/scripts/decrypt_derived. Thus, to set up the swap partition, I do the following, assuming hda2 is the partition holding the encrypted swap and the root filesystem is in hda5_crypt:

swapoff /dev/mapper/hda2_crypt
cryptsetup luksClose hda2_crypt
dd if=/dev/urandom of=/dev/hda2
/lib/cryptsetup/scripts/decrypt_derived hda5_crypt \
  | cryptsetup luksFormat /dev/hda2 --key-file -
/lib/cryptsetup/scripts/decrypt_derived hda5_crypt \
  | cryptsetup luksOpen /dev/hda2 hda2_crypt --key-file -
mkswap /dev/mapper/hda2_crypt

To tell the system about this swap partition, we need to add it to /etc/crypttab and /etc/fstab; make sure, those files contain lines like the following:

/etc/crypttab:
  hda2_crypt /dev/hda2 hda5_crypt luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived

/etc/fstab:
  /dev/mapper/hda2_crypt swap swap sw 0 0

With this in place, as soon as you configure the system for suspend-to-disk, the swap partition will be automatically set up alongside the root filesystem very early during the boot sequence. To figure out which swap partition to make available at that point, cryptsetup checks the following: asfasfafs - a line like RESUME=/dev/mapper/hda2_crypt in /etc/initramfs-tools/conf.d/resume - a resume device setting in /etc/uswsusp.conf (see uswsusp.conf(5)) - an entry in /etc/suspend.conf - a resume=/dev/mapper/hda2_crypt in the kernel command line

You can inspect /usr/share/initramfs-tools/hooks/cryptroot if you want to know more about this.

Welcome to Ask Ubuntu! Would have +1'd if not simply copy/pasted without taking care of the formatting (which I just did). I like the "it can be recreated on every boot, using a random passphrase" approach here. — gertvdijk, Jan 04 '13 at 10:38
added the commands i actually used to the answer, i am going to test it on 12.10 too, will update the answer later — Prince, Jan 04 '13 at 11:22
Okay. I assumed you copy/pasted it completely. Please change it to have clear on what changes you made to it to make it work. Would be helpful, thanks! — gertvdijk, Jan 04 '13 at 12:06
do not try it on 12.10 as I ran into a bug that prevents boot, I get "cryptsetup lvm is not available", Google search return bug reports. need to look into it more deeply but have no time, will let u know later. — Prince, Jan 04 '13 at 13:09
updated the answer, my 12.10 system is now fully functional and asks for only one password,i did not update-initramfs -u -k all at the end that created the problem i mentioned on previous comment. @gertcdijk formated everything, hope u r happy now — Prince, Jan 05 '13 at 10:00

score 5 · Answer 2 · answered May 18 '11 at 03:03

This probably indicates that the swap partition is being accessed during the initramfs portion of the boot process. At this point the root file system has not yet been mounted, so any configuration files stored there won't be visible.

While the swap space is mounted after the root file system, there is a reason for the initramfs initialisation process to access the swap space: when you hibernate your computer, the contents of memory and system state is written to swap. In order to resume from hibernation, it is necessary to check if the swap space contains a hibernation image which would require the pass phrase.

If you don't mind losing the ability to resume from hibernation, you can disable this behaviour by editing /etc/initramfs-tools/conf.d/resume and commenting out the line starting with RESUME=. After making the change, run update-initramfs -u to update the initramfs image.

Ah, thank you! I'm not sure I want to sacrifice hibernation. I don't use it often, but when the battery wears down with out my noticing, it comes in handy. Do you know if there's a way to have cryptsetup reuse the same password for /? — Brad, May 19 '11 at 15:28
I don't know of a way to do that. And before you ask, don't try putting a copy of your keyfile into the initramfs. While it would get rid of the passphrase prompt, it would also make it available to anyone with physical access to the disk. — James Henstridge, May 20 '11 at 02:58

stop crypttab asking for password for swap

2 Answers2

Reference

Linked