Ubuntu – stop crypttab asking for password for swap

luks

I instaled a fresh 11.04 system when it was released and set up full disk encryption with LUKS. At first it asked me for a password for my three encrypted partitions:

/
/home
swap

Typing in the passphrase three times got frustrating, so I tried to set up /home and swap to decrypt from a keyfile stored on /. I created the keyfile and enabled it on the two partitions. My crypttab now looks like this:

root-root_crypt UUID=13c21bf6-4d92-42a7-877a-87cc31b1aa19 none luks
home-home_crypt UUID=ba90ce5b-9df7-4764-8a72-011bbb164db4 /root/keyfile luks
home-home_crypt UUID=ba90ce5b-9df7-4764-8a72-011bbb164db4 none luks
sda3_crypt UUID=e4677895-2114-4054-9f23-d36f6bb0e6a2 /root/keyfile luks,swap

This works fine for /home, which gets mounted automatically without asking for a password. But cryptsetup still asks for a password for the swap space. I've even tried adding noauto to the swap space so it wouldn't be set up at all — once the system is booted I can enable it without the passphrase, so I thought I'd just add a late init script to do it, but even with noauto cryptsetup still asks for the passphrase.

Thanks!

Best Answer

Had the same question, here is how i did it on ubuntu 12.04.1 and 12.10,

--before starting make sure you have a backup and can also boot your system with ubuntu cd or usb; as if you make a mistake, your system may not boot anymore or you may loss data. i assume you have an encrypted ubuntu system with LUKS, inside LUKS you have 3 partitions, SYSTEM-BOOT (not encrypted), SYSTEM-SWAP (encrypted) and SYSTEM-OS (encrypted)--

u need to adjust UUIDs, SYSTEM-SWAP_crypt, SYSTEM-OS_crypt, SYSTEM-SWAP, SYSTEM-OS to the variation used on your system, pls see reference link below my solution for more info

Get UUIDs:

blkid

Prepare >

swapoff /dev/mapper/SYSTEM-SWAP_crypt
cryptsetup luksClose SYSTEM-SWAP_crypt

Tell cryptsetup to compute the passphrase of the swap partition from the decryption key of the volume holding the root filesystem >

/lib/cryptsetup/scripts/decrypt_derived SYSTEM-OS_crypt | cryptsetup luksFormat /dev/mapper/SYSTEM-SWAP --key-file -
/lib/cryptsetup/scripts/decrypt_derived SYSTEM-OS_crypt | cryptsetup luksOpen /dev/mapper/SYSTEM-SWAP SYSTEM-SWAP_crypt --key-file -
mkswap /dev/mapper/SYSTEM-SWAP_crypt

tell the system about swap partition, edit crypttab>

nano /etc/crypttab

=? make sure two lines match

SYSTEM-OS_crypt UUID=uuid-of-luks-containing-osroot none luks
SYSTEM-SWAP_crypt UUID=uuid-of-luks-containing-swap SYSTEM-OS_crypt luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived

tell the system about swap partition, edit fstab>

nano /etc/fstab

=? make sure u have this line

/dev/mapper/SYSTEM-SWAP_crypt swap swap sw 0 0

tell the system about swap partition, edit resume>

nano /etc/initramfs-tools/conf.d/resume

=? make sure u have this line

RESUME=UUID=uuid-of-encrypted-swap-SYSTEM-SWAP_crypt

update initramfs on boot partition >

update-initramfs -u -k all

Reference

The answer inspired by Setting up an encrypted Debian system (archived link):

If you are using an encrypted Debian system, you likely have some security requirements to meet. If that's the case, you must also use an encrypted swap partition.

The swap partition can be encrypted in two ways:

it can be recreated on every boot, using a random passphrase, or

it can be created like the other encrypted volumes with a persistent passphrase

If you want to use suspend-to-disk, you cannot use the first approach as it would overwrite your memory footprint stored in the swap partition. Furthermore, you cannot use a key file like the other partitions, since the root filesystem is not (and must not) be mounted by the time the resume process starts and needs to read the decrypted swap partition.

The way I solved this is by telling cryptsetup to compute the passphrase of the swap partition from the decryption key of the volume holding the root filesystem; the cryptsetup package implements this with /lib/cryptsetup/scripts/decrypt_derived. Thus, to set up the swap partition, I do the following, assuming hda2 is the partition holding the encrypted swap and the root filesystem is in hda5_crypt:

swapoff /dev/mapper/hda2_crypt
cryptsetup luksClose hda2_crypt
dd if=/dev/urandom of=/dev/hda2
/lib/cryptsetup/scripts/decrypt_derived hda5_crypt \
  | cryptsetup luksFormat /dev/hda2 --key-file -
/lib/cryptsetup/scripts/decrypt_derived hda5_crypt \
  | cryptsetup luksOpen /dev/hda2 hda2_crypt --key-file -
mkswap /dev/mapper/hda2_crypt

To tell the system about this swap partition, we need to add it to /etc/crypttab and /etc/fstab; make sure, those files contain lines like the following:

/etc/crypttab:
  hda2_crypt /dev/hda2 hda5_crypt luks,keyscript=/lib/cryptsetup/scripts/decrypt_derived

/etc/fstab:
  /dev/mapper/hda2_crypt swap swap sw 0 0

With this in place, as soon as you configure the system for suspend-to-disk, the swap partition will be automatically set up alongside the root filesystem very early during the boot sequence. To figure out which swap partition to make available at that point, cryptsetup checks the following: asfasfafs - a line like RESUME=/dev/mapper/hda2_crypt in /etc/initramfs-tools/conf.d/resume - a resume device setting in /etc/uswsusp.conf (see uswsusp.conf(5)) - an entry in /etc/suspend.conf - a resume=/dev/mapper/hda2_crypt in the kernel command line

You can inspect /usr/share/initramfs-tools/hooks/cryptroot if you want to know more about this.

Related Solutions

Ubuntu – Mount LUKS encrypted hard drive at boot

A key file in the /boot directory can be read by any other operation system booted on your machine that is able to mount the filesystem on that /boot is located. Thus, encryption is not really effective. This argument applies to all key file locations on unencrypted file systems.

To avoid key files on unencrypted file systems a password can be used for decryption. Create a strong password for the device. Then, change the line in /etc/crypttab to

hddencrypted UUID=b3024cc1-93d1-439f-80ce-1b1ceeafda1e none luks

and keep the entry in /etc/fstab unmodified. Ubuntu 14.04/16.04/18.04 asks you for the password on startup.

Ubuntu – LVM & LUKS manual partitioned but issues with loader/init/grub

I found a way to setup LUKS and LVM while manually partitioning! I tested this on Ubuntu 16.04.2

Boot Ubuntu from a Live OS and select the option to try Ubuntu without installing. Follow the steps I've outlined below.

Partition the drive with your tool of choice: I used fdisk to set mine up on an msdos partition table as follows :
- sda1: /boot (1G)
- sda2: LUKS partition (the rest of the disk)
Setup LUKS
- sudo cryptsetup luksFormat --hash=sha512 --key-size=512 --cipher=aes-xts-plain64 --verify-passphrase /dev/sda2
- sudo cryptsetup luksOpen /dev/sda2 CryptDisk
- While not necessary, it is a good idea to fill your LUKS partition with zeros so that the partition, in an encrypted state, is filled with random data. sudo dd if=/dev/zero of=/dev/mapper/CryptDisk bs=4M BEWARE, this could take a really long time!
Setup LVM on /dev/mapper/CryptDisk
- sudo pvcreate /dev/mapper/CryptDisk
- sudo vgcreate vg0 /dev/mapper/CryptDisk
- sudo lvcreate -n swap -L 2G vg0
- sudo lvcreate -n root -L 10G vg0
- sudo lvcreate -n home -l +100%FREE vg0
Now you're ready to install. When you get to the "Installation type" portion of the install, choose the "Something else" option. Then manually assign the /dev/mapper/vg0-* partitions as you would like to have the configured. Don't forget to set /dev/sda1 as /boot. the /boot partition must not be encrypted. If it is, we won't be able to boot. Change the "Device for boot loader installation" to /dev/sda, and continue with installation.
When installation is complete, don't reboot! Choose the option to "Continue Testing".
In a terminal, type the following and look for the UUID of /dev/sda2. Take note of that UUID for later.
- sudo blkid
- The important line on my machine reads /dev/sda2: UUID="bd3b598d-88fc-476e-92bb-e4363c98f81d" TYPE="crypto_LUKS" PARTUUID="50d86889-02"
Next lets get the newly installed system mounted again so we can make some more changes.
- sudo mount /dev/vg0/root /mnt
- sudo mount /dev/vg0/home /mnt/home # this is probably not necessary
- sudo mount /dev/sda1 /mnt/boot
- If you have an EFI partition, mount it at /mnt/boot/efi
- sudo mount --bind /dev /mnt/dev # I'm not entirely sure this is necessary
- sudo mount --bind /run/lvm /mnt/run/lvm
Now run sudo chroot /mnt to access the installed system
From the chroot, mount a couple more things
- mount -t proc proc /proc
- mount -t sysfs sys /sys
- mount -t devpts devpts /dev/pts
Setup crypttab. Using your favorite text editor, create the file /etc/crypttab and add the following line, changing out the UUID with the UUID of your disk.
- CryptDisk UUID=bd3b598d-88fc-476e-92bb-e4363c98f81d none luks,discard
Lastly, rebuild some boot files.
- update-initramfs -k all -c
- update-grub
Reboot, and the system should ask for a password to decrypt on boot!

Special thanks go to Martin Eve, EGIDIO DOCILE, and the folks at blog.botux.fr for tutorials they posted. By pulling pieces from their posts and doing a little extra trouble shooting, I was finally able to figure this out.

I tried this a number of times and failed over and over. The bit that I had to work out for myself based on error messages was sudo mount --bind /run/lvm /mnt/run/lvm

Best Answer

Reference

Related Solutions

Ubuntu – Mount LUKS encrypted hard drive at boot

Ubuntu – LVM & LUKS manual partitioned but issues with loader/init/grub

Related Question