Ubuntu – Encrypted home partition + encrypted swap + working hibernate


I would like to set up disk encryption on Ubuntu 13.10 such that I have

  • plain /
  • encrypted /home partition
  • encrypted swap partition
  • working hibernation and resume

As these requirements suggest, this is to protect me from a potential laptop thief reading my personal data. With / being unencrypted, it does not protect from somebody taking the laptop, installing a keylogger, and giving it back to me.

I have read EnableHibernateWithEncryptedSwap but it's written for Ubuntu 12.04, and I'm not confident that it still works or that it's the recommended way.

What would be up-to-date setup?

Best Answer

I managed to set up an encrypted home and encrypted swap with working hibernate.

I use uswsusp and largely followed this article - still works for Ubuntu 13.10.

  • On boot, I get two password prompts (one for home and one for swap) under the Ubuntu logo.
  • With apt-get install uswsusp, Ubuntu automatically switched pm-hibernate to use uswsusp, so all GUI tools use it as well.
  • On resume from hibernate, I get one password prompt as expected.

Some parts of my setup:

Creating the encrypted partitions

# For /home
sudo cryptsetup --cipher aes-xts-plain --key-size 256 --hash sha512 --use-random --verify-passphrase luksFormat /dev/sdb2
# For swap
sudo cryptsetup --cipher aes-xts-plain --key-size 256 --hash sha512 --use-random --verify-passphrase luksFormat /dev/sdb3
  • I use aes-xts-plain because it is the fastest in cryptsetup benchmark (only works with cryptsetup >= 1.6). Many guides uses aes-cbc-essiv, but from what I've read so far, xts protects against watermarking just as well as cbc-essiv. If you use partitions >= 2TB, you should use aes-xts-plain64 instead of -plain. More info about these options and choices can be found here.

  • After creating these partitions, you of course have to create the according filesystems on them, e.g. with mkswap /dev/mapper/cryptoposwap and mkfs.ext4 /dev/mapper/cryptohome.


cryptohome   /dev/disk/by-uuid/8cef7fd1-cceb-4a4a-9902-cb9a5805643c   none   luks,discard
cryptoswap   /dev/disk/by-uuid/a99c196d-55df-460f-a162-00c4ea6d46e6   none   luks,discard


UUID=a4a2187d-a2d2-4a4c-9746-be511c151296  /       ext4   errors=remount-ro  0  1
/dev/mapper/cryptoswap                     none    swap   sw,discard         0  0
/dev/mapper/cryptohome                     /home   ext4   discard            0  2
  • I use the discard option in boths crypttab and fstab to enable TRIM for the SSD I'm using.
  • I had to adjust /etc/initramfs-tools/conf.d/resume away from the old swap UUID to the new /dev/mapper/cryptoswap to get rid of a warning at update-initramfs -u -k all.

This is still very similar to EnableHibernateWithEncryptedSwap, but it looks like I didn't have to edit /usr/share/initramfs-tools/scripts/local-top/cryptroot, /etc/acpi/hibernate.sh (if you have a hint why it was needed, please leave a comment - maybe the difference is that this setup uses uswsusp?).