3 Attachment(s)
How-To: Fix hibernate to work with encrypted folders and swap
IMPORTANT
This thread has been moved to the Community Wiki. I shall no longer update this thread (although you are welcome to post queries here); I shall update the Wiki instead.
A thread for discussion of the wiki page only can be found here http://ubuntuforums.org/showthread.p...9#post12062069
Thread closed.
__________________________________________________
RAISON D'ΚTRE
- Many people have asked how to get hibernation to work with encrypted folders. The problem is that the swap partition is also encrypted, but with a random key, so on restarting there is no way to resume.
- Now sharney, who uses Linux Mint, has found a way to solve this problem (on Mint, of course). The idea is to replace the random key with a password of your choice (you could use the same password as your login, but see Disclaimers & Warnings below, point 6).
- I thought I'd see whether or not I could get this working on Ubuntu, which is a little different from both Mint (despite Mint's origins in Ubuntu) and sharney, who uses full-disk encryption. I succeeded! Hence, this how-to.
- Of course, as new information comes to light or as errors are discovered, I shall update this first post.
__________________________________________________
DISCLAIMERS & WARNINGS
- I presume that you know how to use the Terminal. (This how-to quite advanced well, for me it is so if you don't know how to use the Terminal, this how-to is not for you.)
- I tested this both on a virtual machine using Virtual Box and on a native installation. The Virtual Box had a strange problem when resuming, the screen remained black, although the applications were still open. But the native installation worked correctly.
- I tested this on Ubuntu Precise 12.04 (fully updated), so I don't know whether or not it will work on other versions.
- Canonical does not support this function (yet), so use it at your own risk. I disclaim responsibility, because I'm not terribly technical and I discovered the method through reading and trial-and-error, not by any cleverness.
- Please follow the instructions carefully, otherwise you may find your system unable to boot (but you can recover with the Recovery Option or a Live CD).
- If more than one person uses your machine, every user will need to know the encryption password for the swap.
__________________________________________________
EXPLANATION
- Your existing encrypted swap partition uses a random key, generated each time you boot.
- You will be replacing that random key method with a fixed key using a password of your choice.
- It is possible to replace the password with a file, meaning that you wouldn't have to remember an extra password but that file would be visible to anyone with physical access to your computer (e.g. via a Live USB).
- If you forget your password, you will still be able to boot (after trying three times), but you won't have a swap partition. However, you can repeat this How-To to set it up again, so it's not a big deal.
- Wherever there is coding in this How-To, I shall use blue for anything you need to type, with italics where you need to adjust something.
__________________________________________________
PREPARATION
- Your computer must already be set up for encryption. If not, please set up encryption and come back here.
- Think of a password (or passphrase) for your swap partition. You can use the same as your log-in but don't do that if other people have accounts on your computer! (See Disclaimers & Warnings point 6.)
- Find out which is your encrypted swap partition.
Code:
swapon --summary
Filename Type Size Used Priority
/dev/mapper/cryptswap1 partition 1998844 0 -1
If you don't see output like mine (the numbers may differ), you don't have encryption.
Code:
sudo cryptsetup status cryptswap1
/dev/mapper/cryptswap1 is active and is in use.
type: PLAIN
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda1
offset: 0 sectors
size: 3997696 sectors
mode: read/write
Make a note of the device. Mine says /dev/sda1 but yours could say something else, e.g. /dev/sdb3. - Back up.
__________________________________________________
HOW TO SET UP HIBERNATION
- Turn off swap.
Code:
sudo swapoff /dev/mapper/cryptswap1
- Undo the existing mapping.
Code:
sudo cryptsetup luksClose /dev/mapper/cryptswap1
- Set up swap again, but this time with your chosen passphrase. The command will prompt you, twice, for your passphrase.
Replace /dev/sdXN with the device from Preparation point 3.
Code:
sudo cryptsetup luksFormat --cipher aes-cbc-essiv:sha256 --verify-passphrase --key-size 256 /dev/sdXN
WARNING!
========
This will overwrite data on /dev/sda1 irrevocably.
Are you sure? (Type uppercase yes): YES
Enter LUKS passphrase: [type your passphrase]
Verify passphrase: [type your passphrase]
- Re-map the swap.
Replace /dev/sdXN with the device from Preparation point 3.
Code:
sudo cryptsetup luksOpen /dev/sdXN cryptswap1
Enter passphrase for /dev/sda1: [type your passphrase]
- Set up the partition as swap.
Code:
sudo mkswap /dev/mapper/cryptswap1
- Turn on the swap (so you have swap again).
- Check that it is working. You should see output similar to mine (the numbers may differ).
Code:
swapon --summary
Filename Type Size Used Priority
/dev/mapper/cryptswap1 partition 1996796 0 -1
- Edit (using gksudo gedit or your favourite editor) the file /etc/crypttab. Comment out the existing line by adding # to the front (or just delete the line), and add the following line.
Replace /dev/sdXN with the device from Preparation point 3.
Code:
cryptswap1 /dev/sdXN none luks
- Edit the file /usr/share/initramfs-tools/scripts/local-top/cryptroot. Search for the following line (should be line 288, but this could change over time):
Code:
message "cryptsetup: unknown error setting up device mapping"
Skip to the next blank line (should be 291, before FSTYPE=''), and insert the following line.
Replace /dev/sdXN with the device from Preparation point 3.
Code:
/sbin/cryptsetup luksOpen /dev/sdXN cryptswap1
- Edit the file /etc/acpi/hibernate.sh. At the first blank line, insert the following line.
Code:
DEVICE='/dev/mapper/cryptswap1'
- Edit the file /etc/initramfs-tools/conf.d/resume. Replace the existing RESUME line with the following line.
Code:
RESUME=/dev/mapper/cryptswap1
- Register these changes.
Code:
sudo update-initramfs -u -k all
- Ubuntu disables the Hibernate option in the menu. Restore it as follows. Create (using gksudo gedit or your favourite editor) the file:
/etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla
Fill the file with the following text and save.
Code:
[Re-enable hibernate by default]
Identity=unix-user:*
Action=org.freedesktop.upower.hibernate
ResultActive=yes
__________________________________________________
USING YOUR NEW SWAP FOR THE FIRST TIME
- Reboot your machine.
- You will receive a prompt for swap's encryption passphrase. Remember that your mouse does not work at this point. Type your passphrase and press Enter.
__________________________________________________
The prompt for your passphrase.
Attachment 218696
__________________________________________________
If you mistype a passphrase three times, the system will boot anyway but without your swap enabled. Repeat the How-To if you have forgotten your passphrase.
Attachment 218697
__________________________________________________
After correctly typing your passphrase.
Attachment 218698
__________________________________________________
HOW TO HIBERNATE
Either:
- Use Hibernate from the shut-down menu
Or:
- Press Alt-F2 and type
Code:
gksudo pm-hibernate
(If you do this from a terminal, you can use sudo instead of gksudo)
Once your machine has shut down, restart. Did your programs resume normally? If so, hibernate and resume work!
Re: How-To: Fix hibernate to work with encrypted folders and swap
Hi,
I created a post here, but was told to ask in this thread.. I wonder if you can give any advice..
To summarise so far, I tried to hibernate before finding this thread and so had encrypted swap with a random key. On trying to restart, it hung saying that it could not stat /dev/dm-0. I could only boot by modifying the boot command to add noresume.
I have since tried unencrypting swap, which has no effect. I have also followed the steps in the above tutorial. Then, I managed to restart without locking up (didn't try hibernate). I then tried to undo each step in the hope that it had cleared whatever flag thinks it still wants to resume from hibernation but I am now back to square one.
I do not want to be able to hibernate.. I just want the system to boot normally again!
I have also noticed that when I try update-initramfs, I get the following error:
Code:
cryptsetup: WARNING: failed to detect canonical device of /dev/dm-0
This looks to be related to the boot problem, so don't know if it helps to clarify at all?? This is with swap totally decrypted.
Thanks for any suggestions!!
Re: How-To: Fix hibernate to work with encrypted folders and swap
Quote:
Originally Posted by
inneedofsomehelp
To summarise so far, I tried to hibernate before finding this thread and so had encrypted swap with a random key...
There is a number of problems needing diagnosis, so I have answered you in your original thread.
Re: How-To: Fix hibernate to work with encrypted folders and swap
Re: How-To: Fix hibernate to work with encrypted folders and swap
This thread is closed.
The information is now held on the community wiki at https://help.ubuntu.com/community/En...hEncryptedSwap
Thank you for your thread and the work you have done in keeping it current and of use to the community.
A thread for discussion of the wiki can be found at http://ubuntuforums.org/showthread.php?t=2012408
Support threads regarding the wiki and it's content should be created in a suitable forum.