Prerequisites:
- This tutorial requires the use of Terminal to install necessary applications and configure files and directories.
- This procedure was tested on Ubuntu 12.04 (fully updated). Do not assume it will work on other versions or distributions.
- If more than one person uses your machine, every user will need to know the encryption password for the swap.
- Your existing encrypted swap partition uses a random key, generated each time you boot.
- You will be replacing that random key method with a fixed key using a password of your choice. This password must be typed into the computer every time it is started or resumed from hibernation, whether by you or a different user.
- It is possible to replace the password with a file, meaning that you wouldn't have to remember an extra password — but that file would be visible to anyone with physical access to your computer (e.g. via a Live USB).
- If you forget your password, you will still be able to boot (after trying three times), but you won't have a swap partition. However, you can repeat this How-To to set it up again, so it's not a big deal.
- Your computer must already be set up for encryption. If not, follow instructions in Post Installation Encryption first.
- Think of a password (or passphrase) for your swap partition. You can use the same as your log-in — but don't do that if other people have accounts on your computer!
- Find out which is your encrypted swap partition. "
swapon --summary" Output should be similar to figure 1. If you do not see cryptswap1, the partition is either unencrypted or is not encrypted to Ubuntu's standard.
figure 1.
sudo cryptsetup status cryptswap1
/dev/mapper/cryptswap1 is active and is in use.
type: PLAIN
cipher: aes-cbc-essiv:sha256
keysize: 256 bits
device: /dev/sda1
offset: 0 sectors
size: 3997696 sectors
mode: read/write- Make a note of the device. The one in the example says /dev/sda1 — but yours could be something else, e.g. /dev/sdb3.
Setting Up Hibernation:
1. Turn of Swap
sudo swapoff /dev/mapper/cryptswap1
2. Undo the existing mapping.
sudo cryptsetup luksClose /dev/mapper/cryptswap1
3. Set up swap again, but this time with your chosen passphrase. The command will prompt you, twice, for your passphrase. Replace /dev/sdXN with the device from Preparation point 4. (The following command wraps on the browser screen, but it is a single command that you need to type.)
sudo cryptsetup luksFormat --cipher aes-cbc-essiv:sha256 --verify-passphrase --key-size 256 /dev/sdXN
Output should be
WARNING!
========
This will overwrite data on /dev/sda1 irrevocably.
Are you sure? (Type uppercase yes):
Enter LUKS passphrase:
Verify passphrase:
Type YES and enter your passphrase twice as prompted.
4. Re-map the swap. Replace /dev/sdXN with the device from Preparation point 4.
4. Re-map the swap. Replace /dev/sdXN with the device from Preparation point 4.
sudo cryptsetup luksOpen /dev/sdXN cryptswap1
5. Set up the partition as swap.
sudo mkswap /dev/mapper/cryptswap1
6. Turn on the swap (so it starts working again).
sudo swapon --all
7. Check that it is working.
swapon --summary
You should see output similar
to this (the numbers may differ).
8. Using gksudo with your favorite editor (the default for Ubuntu is gedit), edit the file /etc/crypttab. Comment out the existing line by adding # to the front (or just delete the line), and add the following line. Replace /dev/sdXN with the device from Preparation point 4.
Filename Type Size Used Priority
/dev/mapper/cryptswap1 partition 1996796 0 -1
8. Using gksudo with your favorite editor (the default for Ubuntu is gedit), edit the file /etc/crypttab. Comment out the existing line by adding # to the front (or just delete the line), and add the following line. Replace /dev/sdXN with the device from Preparation point 4.
cryptswap1 /dev/sdXN none luks
9. Edit the file /usr/share/initramfs-tools/scripts/local-top/cryptroot. Search for the following line (should be line 288, but this could change over time):
message "cryptsetup: unknown error setting up device mapping"
Skip to the next blank line (should be 291, before FSTYPE=''), and insert the following line. Replace /dev/sdXN with the device from Preparation point 4.
/sbin/cryptsetup luksOpen /dev/sdXN cryptswap1
10. Edit the file /etc/acpi/hibernate.sh. At the first blank line, insert the following line.
/sbin/cryptsetup luksOpen /dev/sdXN cryptswap1
11. Edit the file /etc/initramfs-tools/conf.d/resume. Replace the existing RESUME line with the following line.
RESUME=/dev/mapper/cryptswap1
12. Register these changes.
sudo update-initramfs -u -k all
13. Ubuntu disables the Hibernate option in the menu. Restore it as follows. Create (using gksudo with your favorite editor) the file:
/etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla
Fill the file with the following text and save.
/etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla
Fill the file with the following text and save.
[Re-enable hibernate by default]
Identity=unix-user:*
Action=org.freedesktop.upower.hibernate
ResultActive=yes
First time use of New Swap:
1. Reboot your machine.
2. You will receive a prompt for swap's encryption passphrase. Remember that your mouse does not work at this point. Type your passphrase and press Enter.
3. If you mistype a passphrase three times, the system will boot anyway but without your swap enabled. Repeat the How-To if you have forgotten your passphrase.
No comments:
Post a Comment