quick steps
How to create an encrypted swap partition that enables upon boot? With dm-crypt and some small configuration changes; notably in /etc/fstab
and /etc/crypttab
, it turned out to be quite easy. The only downside to this method is the inability to resume from hibernation. With that in mind the first step is to have a suitable partition, this can be done using any standard tool but the most commonly used one is gparted. If inexperienced with partitioning tools this guide is best avoided, the reader is fully expected to be able to set up an empty partition of the desired size on his own. With the partition ready execute the following commands and be sure to replace `PARTITION` with your own desired partition. Be sure to remember the password you set for the new dm-crypt partition.
cryptsetup -y -v luksFormat /dev/PARTITION
cryptsetup luksOpen /dev/PARTITION cryptswap
dd if=/dev/zero of=/dev/mapper/cryptswap
mkswap /dev/mapper/cryptswap
Setup crypttab
/etc/crypttab
. The block device id is needed to uniquely identify the partition in crypttab, for this execute lsblk -f
. From the output copy the UUID for the partition which is of FSTYPE crypto_LUKS
.
Random password for every boot
Edit /etc/crypttab
and add a similar line, be sure to replace the UUID
cryptswap UUID=12345678-1234-1234-1234-123456789abc /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
Save the changes to crypttab and proceed to edit fstab in /etc/fstab
. Edit fstab by appending the line:
/dev/mapper/cryptswap none swap defaults 0 0
Same password for every boot
Create a small file containing the password in plain text, preferably in /root/cryptpasswd
, the code below can be executed as root to setup the required configuration. PASSWORD and THEUUID variables ofcourse need to be changed.
PASSWORD="your-password-here"
THEUUID="your-uuid-here"
echo "$PASSWORD" | tee /root/cryptpasswd
chown root /root/cryptpasswd
chgrp root /root/cryptpasswd
chmod o-rwx /root/cryptpasswd
echo "cryptswap UUID=$THEUUID /root/cryptpasswd" >> /etc/crypttab
PASSWORD=""
THEUUID=""
Quick steps
Execute the following and adjust variables where necessary
PARTITION="sda"
PASSWORD="your-password-here"
THEUUID="your-uuid-here"
cryptsetup -y -v luksFormat /dev/$PARTITION
cryptsetup luksOpen /dev/$PARTITION cryptswap
dd if=/dev/zero of=/dev/mapper/cryptswap
mkswap /dev/mapper/cryptswap
echo "$PASSWORD" | tee /root/cryptpasswd
chown root /root/cryptpasswd
chgrp root /root/cryptpasswd
chmod o-rwx /root/cryptpasswd
echo "cryptswap UUID=$THEUUID /root/cryptpasswd" >> /etc/crypttab
echo "/dev/mapper/cryptswap none swap defaults 0 0" >> /etc/fstab
PASSWORD=""
THEUUID=""