View previous topic :: View next topic |
Author |
Message |
hjkl Apprentice
Joined: 22 Apr 2021 Posts: 198 Location: Somewhere in Europe
|
Posted: Wed Jul 14, 2021 9:31 pm Post subject: [SOLVED] Encrypted swap doesn't show up in swapon -s |
|
|
Hi,
I'd like to make my swap be encrypted and more or less successfully set it up via /etc/conf.d/cryptsetup:
Code: |
# /etc/conf.d/dmcrypt
# For people who run dmcrypt on top of some other layer (like raid),
# use rc_need to specify that requirement. See the runscript(8) man
# page for more information.
#--------------------
# Instructions
#--------------------
# Note regarding the syntax of this file. This file is *almost* bash,
# but each line is evaluated separately. Separate swaps/targets can be
# specified. The init-script which reads this file assumes that a
# swap= or target= line starts a new section, similar to lilo or grub
# configuration.
# Note when using gpg keys and /usr on a separate partition, you will
# have to copy /usr/bin/gpg to /bin/gpg so that it will work properly
# and ensure that gpg has been compiled statically.
# See http://bugs.gentoo.org/90482 for more information.
# Note that the init-script which reads this file detects whether your
# partition is LUKS or not. No mkfs is run unless you specify a makefs
# option.
# Global options:
#----------------
# How long to wait for each timeout (in seconds).
dmcrypt_key_timeout=1
# Max number of checks to perform (see dmcrypt_key_timeout).
#dmcrypt_max_timeout=300
# Number of password retries.
dmcrypt_retries=5
# Arguments:
#-----------
# target=<name> == Mapping name for partition.
# swap=<name> == Mapping name for swap partition.
# source='<dev>' == Real device for partition.
# Note: You can (and should) specify a tag like UUID
# for blkid (see -t option). This is safer than using
# the full path to the device.
# key='</path/to/keyfile>[:<mode>]' == Fullpath from / or from inside removable media.
# remdev='<dev>' == Device that will be assigned to removable media.
# gpg_options='<opts>' == Default are --quiet --decrypt
# options='<opts>' == cryptsetup, for LUKS you can only use --readonly
# loop_file='<file>' == Loopback file.
# Note: If you omit $source, then a free loopback will
# be looked up automatically.
# pre_mount='cmds' == commands to execute before mounting partition.
# post_mount='cmds' == commands to execute after mounting partition.
#-----------
# Supported Modes
# gpg == decrypt and pipe key into cryptsetup.
# Note: new-line character must not be part of key.
# Command to erase \n char: 'cat key | tr -d '\n' > cleanKey'
#--------------------
# dm-crypt examples
#--------------------
## swap
# Swap partitions. These should come first so that no keys make their
# way into unencrypted swap.
# If no options are given, they will default to: -c aes -h sha1 -d /dev/urandom
# If no makefs is given then mkswap will be assumed
swap=crypt-swap
source='/dev/sdc7'
## /home with passphrase
target=crypt-home
source='/dev/sda1'
## /home with regular keyfile
#target=crypt-swap
#source='/dev/sdc7'
#key='/etc/keys/crypt-swap-key'
## /home with gpg protected key
#target=crypt-home
#source='/dev/hda5'
#key='/full/path/to/homekey:gpg'
## /home with regular keyfile on removable media(such as usb-stick)
#target=crypt-home
#source='/dev/hda5'
#key='/full/path/to/homekey'
#remdev='/dev/sda1'
## /home with gpg protected key on removable media(such as usb-stick)
#target=crypt-home
#source='/dev/hda5'
#key='/full/path/to/homekey:gpg'
#remdev='/dev/sda1'
## /tmp with regular keyfile
#target=crypt-tmp
#source='/dev/hda6'
#key='/full/path/to/tmpkey'
#pre_mount='/sbin/mkreiserfs -f -f ${dev}'
#post_mount='chown root:root ${mount_point}; chmod 1777 ${mount_point}'
## Loopback file example
#target='crypt-loop-home'
#source='/dev/loop0'
#loop_file='/mnt/crypt/home'
# The file must be terminated by a newline. Or leave this comment last.
|
It shows up fine when I boot up (log_level=1)
I tried adding it to my fstab, did nothing.
It said that it couldn't be found or something along those lines.
I'm confused. _________________ Having problems compiling since 2021
Last edited by hjkl on Thu Jul 15, 2021 8:22 am; edited 1 time in total |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4124 Location: Bavaria
|
Posted: Wed Jul 14, 2021 11:04 pm Post subject: Re: Encrypted swap doesn't show up in swapon -s |
|
|
hjkl wrote: | It shows up fine when I boot up (log_level=1) |
That means you have set dmcrypt to your runlevel "boot" - good.
hjkl wrote: | I tried adding it to my fstab, did nothing.
It said that it couldn't be found or something along those lines. |
Maybe the line for swap in your fstab is not correct. It should be:
Code: | /dev/mapper/crypt-swap none swap sw 0 0 |
P.S.: Is /dev/sdc7 really your swap ?
(You can also use partlabel; take a look into: https://forums.gentoo.org/viewtopic-p-8457358.html#8457358 ) |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21593
|
Posted: Thu Jul 15, 2021 1:30 am Post subject: |
|
|
If you still need help, please post your /etc/fstab, and the boot output starting at the first reference to swap (encrypted or not) and continuing down to where the error message appears. |
|
Back to top |
|
|
hjkl Apprentice
Joined: 22 Apr 2021 Posts: 198 Location: Somewhere in Europe
|
Posted: Thu Jul 15, 2021 8:16 am Post subject: |
|
|
Hu wrote: | If you still need help, please post your /etc/fstab, and the boot output starting at the first reference to swap (encrypted or not) and continuing down to where the error message appears. |
The boot output (more or less since I can't take a screenshot in the tty)
Code: |
Setting up dm-crypt mappings ...
crypt-home using: open /dev/sda1 crypt-home
Enter passphrase for /dev/sda1:
crypt-swap using: -c aes -h -h sha1 -d /dev/urandom create crypt-swap /dev/mapper/crypt-swap
WARNING: The --hash parameter is being ignored in plain mode with keyfile specified.
pre_mount: mkswap /dev/mapper/cryptswap
dm-crypt mapping crypt-home already is configured
|
(Nothing else related to dm-crypt after this)
Code: |
# /etc/fstab: static file system information.
#
# noatime turns off atimes for increased performance (atimes normally aren't
# needed); notail increases performance of ReiserFS (at the expense of storage
# efficiency). It's safe to drop the noatime options if you want and to
# switch between notail / tail freely.
#
# The root filesystem should have a pass number of either 0 or 1.
# All other filesystems should have a pass number of 0 or greater than 1.
#
# See the manpage fstab(5) for more information.
#
# <fs> <mountpoint> <type> <opts> <dump/pass>
# NOTE: If your BOOT partition is ReiserFS, add the notail option to opts.
#
# NOTE: Even though we list ext4 as the type here, it will work with ext2/ext3
# filesystems. This just tells the kernel to use the ext4 driver.
#
# NOTE: You can use full paths to devices like /dev/sda3, but it is often
# more reliable to use filesystem labels or UUIDs. See your filesystem
# documentation for details on setting a label. To obtain the UUID, use
# the blkid(8) command.
#LABEL=boot /boot ext4 noauto,noatime 1 2
#UUID=58e72203-57d1-4497-81ad-97655bd56494 / ext4 noatime 0 1
#LABEL=swap none swap sw 0 0
#/dev/cdrom /mnt/cdrom auto noauto,ro 0 0
#/home
#UUID="e968edac-b8bf-4256-878a-c5efd0f7aa76" /home ext4 nosuid,nodev,rw,noatime 0 2
#/
UUID="4f72248f-ccd4-422c-bad0-253df6543668" / ext4 rw,noatime 0 1
#/boot
UUID="E67E-6074" /boot vfat nosuid,nodev,noexec,noatime 0 2
#swap
#UUID="7d8ec487-59c8-455e-9862-8eacabec2d06" none swap sw 0 0
/dev/cdrom /mnt/cdrom auto noauto,user 0 0
tmpfs /portage tmpfs rw,nosuid,noatime,nodev,size=20G,mode=775,uid=portage,gid=portage 0 0
UUID="657c1c28-bf27-4fb1-9f06-0fecb2bce94d" /var ext4 nosuid,noexec,nodev,noatime 0 2
proc /proc proc nosuid,nodev,noexec,hidepid=2,gid=polkitd 0 0
tmpfs /tmp tmpfs nosuid,nodev,noexec 0 0
#home
UUID="f65470e7-0742-4d4a-8a6e-4cae7ce2d934" /home ext4 nosuid,nodev 0 2
tmpfs /home/hjkl/.cache tmpfs noatime,nodev,nosuid,size=400M 0 0
|
_________________ Having problems compiling since 2021 |
|
Back to top |
|
|
hjkl Apprentice
Joined: 22 Apr 2021 Posts: 198 Location: Somewhere in Europe
|
Posted: Thu Jul 15, 2021 8:22 am Post subject: Re: Encrypted swap doesn't show up in swapon -s |
|
|
pietinger wrote: | hjkl wrote: | It shows up fine when I boot up (log_level=1) |
That means you have set dmcrypt to your runlevel "boot" - good.
hjkl wrote: | I tried adding it to my fstab, did nothing.
It said that it couldn't be found or something along those lines. |
Maybe the line for swap in your fstab is not correct. It should be:
Code: | /dev/mapper/crypt-swap none swap sw 0 0 |
P.S.: Is /dev/sdc7 really your swap ?
(You can also use partlabel; take a look into: https://forums.gentoo.org/viewtopic-p-8457358.html#8457358 ) |
The /etc/fstab line solved it.
Had to use /dev/mapper/crypt-swap instead of the UUID. _________________ Having problems compiling since 2021 |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21593
|
Posted: Fri Jul 16, 2021 2:28 am Post subject: |
|
|
I believe a UUID= line for swap would look at the UUID in the swap header, which you set at mkswap time, or you get a random one if you do not set it. You were not setting it, so the UUID was random, which gives you a 1 in 2**128 chance of having the right value in fstab. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|