Encrypted swap partition that enables upon boot with dm-crypt

quick steps
How to create an encrypted swap partition that enables upon boot? With dm-crypt and some small configuration changes; notably in /etc/fstab and /etc/crypttab, it turned out to be quite easy. The only downside to this method is the inability to resume from hibernation. With that in mind the first step is to have a suitable partition, this can be done using any standard tool but the most commonly used one is gparted. If inexperienced with partitioning tools this guide is best avoided, the reader is fully expected to be able to set up an empty partition of the desired size on his own. With the partition ready execute the following commands and be sure to replace `PARTITION` with your own desired partition. Be sure to remember the password you set for the new dm-crypt partition.

cryptsetup -y -v luksFormat /dev/PARTITION
cryptsetup luksOpen /dev/PARTITION cryptswap
dd if=/dev/zero of=/dev/mapper/cryptswap
mkswap /dev/mapper/cryptswap

Setup crypttab

In order for the system to mount the swap partition at boot it needs to be unlocked by configuring /etc/crypttab. The block device id is needed to uniquely identify the partition in crypttab, for this execute lsblk -f. From the output copy the UUID for the partition which is of FSTYPE crypto_LUKS.
At this point the decision can be made to setup a new password for the swap partition upon every reboot, however, this will make it impossible to resume from hibernation. As an alternative a text file can be stored on a secure place in the filesystem which contains the dm-crypt partition password. The text file should be owned by root with group root and permissions 700.

Random password for every boot

Edit /etc/crypttab and add a similar line, be sure to replace the UUID
cryptswap UUID=12345678-1234-1234-1234-123456789abc /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
Save the changes to crypttab and proceed to edit fstab in /etc/fstab. Edit fstab by appending the line:
/dev/mapper/cryptswap none swap defaults 0 0

Same password for every boot

Create a small file containing the password in plain text, preferably in /root/cryptpasswd, the code below can be executed as root to setup the required configuration. PASSWORD and THEUUID variables ofcourse need to be changed.
PASSWORD="your-password-here"
THEUUID="your-uuid-here"
echo "$PASSWORD" | tee /root/cryptpasswd
chown root /root/cryptpasswd
chgrp root /root/cryptpasswd
chmod o-rwx /root/cryptpasswd
echo "cryptswap UUID=$THEUUID /root/cryptpasswd" >> /etc/crypttab
PASSWORD=""
THEUUID=""

Quick steps

Execute the following and adjust variables where necessary
PARTITION="sda"
PASSWORD="your-password-here"
THEUUID="your-uuid-here"
cryptsetup -y -v luksFormat /dev/$PARTITION
cryptsetup luksOpen /dev/$PARTITION cryptswap
dd if=/dev/zero of=/dev/mapper/cryptswap
mkswap /dev/mapper/cryptswap
echo "$PASSWORD" | tee /root/cryptpasswd
chown root /root/cryptpasswd
chgrp root /root/cryptpasswd
chmod o-rwx /root/cryptpasswd
echo "cryptswap UUID=$THEUUID /root/cryptpasswd" >> /etc/crypttab
echo "/dev/mapper/cryptswap none swap defaults 0 0" >> /etc/fstab
PASSWORD=""
THEUUID=""

Leave a Reply

Your email address will not be published. Required fields are marked *

*