How-To: Fix hibernate to work with encrypted folders and swap
IMPORTANT
This thread has been moved to the Community Wiki. I shall no longer update this thread (although you are welcome to post queries here); I shall update the Wiki instead.
A thread for discussion of the wiki page only can be found here http://ubuntuforums.org/showthread.p...9#post12062069
Thread closed.
__________________________________________________
RAISON D'ÊTRE
- Many people have asked how to get hibernation to work with encrypted folders. The problem is that the swap partition is also encrypted, but with a random key, so on restarting there is no way to resume.
- Now sharney, who uses Linux Mint, has found a way to solve this problem (on Mint, of course). The idea is to replace the random key with a password of your choice (you could use the same password as your login, but see Disclaimers & Warnings below, point 6).
- I thought I'd see whether or not I could get this working on Ubuntu, which is a little different from both Mint (despite Mint's origins in Ubuntu) and sharney, who uses full-disk encryption. I succeeded! Hence, this how-to.
- Of course, as new information comes to light or as errors are discovered, I shall update this first post.
__________________________________________________
DISCLAIMERS & WARNINGS
- I presume that you know how to use the Terminal. (This how-to quite advanced — well, for me it is — so if you don't know how to use the Terminal, this how-to is not for you.)
- I tested this both on a virtual machine using Virtual Box and on a native installation. The Virtual Box had a strange problem — when resuming, the screen remained black, although the applications were still open. But the native installation worked correctly.
- I tested this on Ubuntu Precise 12.04 (fully updated), so I don't know whether or not it will work on other versions.
- Canonical does not support this function (yet), so use it at your own risk. I disclaim responsibility, because I'm not terribly technical and I discovered the method through reading and trial-and-error, not by any cleverness.
- Please follow the instructions carefully, otherwise you may find your system unable to boot (but you can recover with the Recovery Option or a Live CD).
- If more than one person uses your machine, every user will need to know the encryption password for the swap.
__________________________________________________
EXPLANATION
- Your existing encrypted swap partition uses a random key, generated each time you boot.
- You will be replacing that random key method with a fixed key using a password of your choice.
- It is possible to replace the password with a file, meaning that you wouldn't have to remember an extra password — but that file would be visible to anyone with physical access to your computer (e.g. via a Live USB).
- If you forget your password, you will still be able to boot (after trying three times), but you won't have a swap partition. However, you can repeat this How-To to set it up again, so it's not a big deal.
- Wherever there is coding in this How-To, I shall use blue for anything you need to type, with italics where you need to adjust something.
__________________________________________________
PREPARATION
- Your computer must already be set up for encryption. If not, please set up encryption and come back here.
- Think of a password (or passphrase) for your swap partition. You can use the same as your log-in — but don't do that if other people have accounts on your computer! (See Disclaimers & Warnings point 6.)
- Find out which is your encrypted swap partition.
If you don't see output like mine (the numbers may differ), you don't have encryption.Code:swapon --summary Filename Type Size Used Priority /dev/mapper/cryptswap1 partition 1998844 0 -1Make a note of the device. Mine says /dev/sda1 — but yours could say something else, e.g. /dev/sdb3.Code:sudo cryptsetup status cryptswap1 /dev/mapper/cryptswap1 is active and is in use. type: PLAIN cipher: aes-cbc-essiv:sha256 keysize: 256 bits device: /dev/sda1 offset: 0 sectors size: 3997696 sectors mode: read/write- Back up.
__________________________________________________
HOW TO SET UP HIBERNATION
- Turn off swap.
Code:sudo swapoff /dev/mapper/cryptswap1- Undo the existing mapping.
Code:sudo cryptsetup luksClose /dev/mapper/cryptswap1- Set up swap again, but this time with your chosen passphrase. The command will prompt you, twice, for your passphrase.
Replace /dev/sdXN with the device from Preparation point 3.Code:sudo cryptsetup luksFormat --cipher aes-cbc-essiv:sha256 --verify-passphrase --key-size 256 /dev/sdXN WARNING! ======== This will overwrite data on /dev/sda1 irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: [type your passphrase] Verify passphrase: [type your passphrase]- Re-map the swap.
Replace /dev/sdXN with the device from Preparation point 3.Code:sudo cryptsetup luksOpen /dev/sdXN cryptswap1 Enter passphrase for /dev/sda1: [type your passphrase]- Set up the partition as swap.
Code:sudo mkswap /dev/mapper/cryptswap1- Turn on the swap (so you have swap again).
Code:sudo swapon --all- Check that it is working. You should see output similar to mine (the numbers may differ).
Code:swapon --summary Filename Type Size Used Priority /dev/mapper/cryptswap1 partition 1996796 0 -1- Edit (using gksudo gedit or your favourite editor) the file /etc/crypttab. Comment out the existing line by adding # to the front (or just delete the line), and add the following line.
Replace /dev/sdXN with the device from Preparation point 3.Code:cryptswap1 /dev/sdXN none luks- Edit the file /usr/share/initramfs-tools/scripts/local-top/cryptroot. Search for the following line (should be line 288, but this could change over time):
Skip to the next blank line (should be 291, before FSTYPE=''), and insert the following line.Code:message "cryptsetup: unknown error setting up device mapping"
Replace /dev/sdXN with the device from Preparation point 3.Code:/sbin/cryptsetup luksOpen /dev/sdXN cryptswap1- Edit the file /etc/acpi/hibernate.sh. At the first blank line, insert the following line.
Code:DEVICE='/dev/mapper/cryptswap1'- Edit the file /etc/initramfs-tools/conf.d/resume. Replace the existing RESUME line with the following line.
Code:RESUME=/dev/mapper/cryptswap1- Register these changes.
Code:sudo update-initramfs -u -k all- Ubuntu disables the Hibernate option in the menu. Restore it as follows. Create (using gksudo gedit or your favourite editor) the file:
/etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla
Fill the file with the following text and save.Code:[Re-enable hibernate by default] Identity=unix-user:* Action=org.freedesktop.upower.hibernate ResultActive=yes
__________________________________________________
USING YOUR NEW SWAP FOR THE FIRST TIME
- Reboot your machine.
- You will receive a prompt for swap's encryption passphrase. Remember that your mouse does not work at this point. Type your passphrase and press Enter.
__________________________________________________
The prompt for your passphrase.
Prompt for cryptswap1 passphrase on booting.png
__________________________________________________
If you mistype a passphrase three times, the system will boot anyway but without your swap enabled. Repeat the How-To if you have forgotten your passphrase.
Incorrect cryptswap1 passphrase.png
__________________________________________________
After correctly typing your passphrase.
Correct cryptswap1 passphrase.png
__________________________________________________
HOW TO HIBERNATE
Either:
- Use Hibernate from the shut-down menu
Or:
- Press Alt-F2 and type
(If you do this from a terminal, you can use sudo instead of gksudo)Code:gksudo pm-hibernate
Once your machine has shut down, restart. Did your programs resume normally? If so, hibernate and resume work!
Adv Reply
Originally Posted by inneedofsomehelp
Bookmarks