Swap encryption (via LUKS) and Hibernation (disk suspend) - Debian

This is a discussion on Swap encryption (via LUKS) and Hibernation (disk suspend) - Debian ; Hello, After digging around manuals, search engines and forums, I have come to the conclusion that trying suspend to disk (hibernate) is a hit or miss with an encrypted swap via LUKS. What is the state of of doing hibernation ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: Swap encryption (via LUKS) and Hibernation (disk suspend)

  1. Swap encryption (via LUKS) and Hibernation (disk suspend)

    Hello,

    After digging around manuals, search engines and forums, I have come to the conclusion that trying suspend to disk (hibernate) is a hit or miss with an encrypted swap via LUKS.

    What is the state of of doing hibernation with encrypted swap in Debian? After doing a "fresh install" using the amazing Debian installer which pre-configures LUKS, what extra steps, if any, are needed to accomplish this goal?

    The assumption being that on a non-encrypted system, hibernation works without problems.

    Cheers.


    --
    To UNSUBSCRIBE, email to debian-laptop-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  2. Re: Swap encryption (via LUKS) and Hibernation (disk suspend)

    On Fr, Mai 04, 2007 at 01:03:22 -0400, q9u3x4c02@sneakemail.com wrote:
    > Hello,
    >
    > After digging around manuals, search engines and forums, I have come
    > to the conclusion that trying suspend to disk (hibernate) is a hit or
    > miss with an encrypted swap via LUKS.
    >
    > What is the state of of doing hibernation with encrypted swap in
    > Debian? After doing a "fresh install" using the amazing Debian
    > installer which pre-configures LUKS, what extra steps, if any, are
    > needed to accomplish this goal?


    The build in kernel suspend is not capable of doing this. You need to
    look at suspend2 http://www.suspend2.net/

    Frank


    --
    To UNSUBSCRIBE, email to debian-laptop-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  3. Re: Swap encryption (via LUKS) and Hibernation (disk suspend)

    El vie, 04-05-2007 a las 13:03 -0400, q9u3x4c02@sneakemail.com escribió:
    > Hello,
    >
    > After digging around manuals, search engines and forums, I have come to the conclusion that trying suspend to disk (hibernate) is a hit or miss withan encrypted swap via LUKS.
    > What is the state of of doing hibernation with encrypted swap in Debian? After doing a "fresh install" using the amazing Debian installer which pre-configures LUKS, what extra steps, if any, are needed to accomplish this goal?


    Right now, just using uswsusp , with a encrypted swap partition, it
    works out of the box

    The initramfs-tools package contains the needed hooks to unlock the
    encrypted partition with cryptsetup.It works for me.

    If you want to use suspend2, you musto to patch and build a new kernel.


    >
    > The assumption being that on a non-encrypted system, hibernation works without problems.
    >
    > Cheers.
    >
    >


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)

    iD8DBQBGO2x1+zKcMOF5e9IRAkXXAJ9zH5gI+NDx3rUhaKL1m6 Aamegf8ACguaq2
    e3h6/iwpWTkiVAgDOq3GwDs=
    =8E0j
    -----END PGP SIGNATURE-----


  4. Re: Swap encryption (via LUKS) and Hibernation (disk suspend)

    On Friday 04 May 2007 13:25, Gerardo Curiel gcuriel-at-gmail.com |debian_laptop| wrote:
    > Right now, just using uswsusp , with a encrypted swap partition, it
    > works out of the box


    This sounds great, thank you.

    > The initramfs-tools package contains the needed hooks to unlock the
    > encrypted partition with cryptsetup.It works for me.


    This is encouraging, because a lot of the search results said otherwise. Good to know that things have improved.

    > If you want to use suspend2, you musto to patch and build a new kernel.


    I would rather use uswsusp and not patch the kernel.

    Right now I have the following two packages installed: hibernate and uswsusp. The hibernate package description says that it supports both suspend2 and /sys/power/state. Am I correct to assume that uswsusp uses neither? I want to make sure "just in case" and because by default the laptop task installs hibernate. The last thing I need is a corrupt partition.

    Thank you for the generous replies. They helped a lot!


    --
    To UNSUBSCRIBE, email to debian-laptop-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  5. Re: Swap encryption (via LUKS) and Hibernation (disk suspend)

    AFAIK, uswsusp use the /sys/power/state method, but i'm not absolutely
    sure.


    On 5/4/07, q9u3x4c02@sneakemail.com wrote:
    > I would rather use uswsusp and not patch the kernel.
    >
    > Right now I have the following two packages installed: hibernate and

    uswsusp. The hibernate package description says that >it supports both
    suspend2 and /sys/power/state. Am I correct to assume that uswsusp uses
    neither?
    >I want to make sure >"just in case" and because by default the laptop task

    installs hibernate. The last thing I need is a >corrupt partition.
    >
    > Thank you for the generous replies. They helped a lot!
    >
    >
    > --
    > To UNSUBSCRIBE, email to debian-laptop-REQUEST@lists.debian.org
    > with a subject of "unsubscribe". Trouble? Contact

    listmaster@lists.debian.org
    >
    >



    --
    Gerardo Curiel
    Geek By NaTure,LiNuX By ChOiCe,DebiAn of CoUrsE
    gpg fingerprint: 228B 0F96 8653 DF52 9740 B75E FB32 9C30 E179 7BD2
    http://www.debian.org


  6. Re: Swap encryption (via LUKS) and Hibernation (disk suspend)

    On Fri, May 04, 2007 at 01:25:09PM -0400, Gerardo Curiel wrote:
    > El vie, 04-05-2007 a las 13:03 -0400, q9u3x4c02@sneakemail.com escribió:
    >> Hello,
    >>
    >> After digging around manuals, search engines and forums, I have come to the conclusion that trying suspend to disk (hibernate) is a hit or miss with an encrypted swap via LUKS.
    >> What is the state of of doing hibernation with encrypted swap in Debian? After doing a "fresh install" using the amazing Debian installer which pre-configures LUKS, what extra steps, if any, are needed to accomplish this goal?

    >
    > Right now, just using uswsusp , with a encrypted swap partition, it
    > works out of the box
    >
    > The initramfs-tools package contains the needed hooks to unlock the
    > encrypted partition with cryptsetup.It works for me.


    Not for me. The initramfs was build upon install and it recognized my
    encrypted swap, but after hibernation the correct device was not found.

    Frank


    --
    To UNSUBSCRIBE, email to debian-laptop-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  7. Re: Swap encryption (via LUKS) and Hibernation (disk suspend)

    Frank Ursel wrote:
    > Gerardo Curiel wrote:
    > > Right now, just using uswsusp , with a encrypted swap partition, it
    > > works out of the box
    > >
    > > The initramfs-tools package contains the needed hooks to unlock the
    > > encrypted partition with cryptsetup.It works for me.

    >
    > Not for me. The initramfs was build upon install and it recognized my
    > encrypted swap, but after hibernation the correct device was not found.


    I recently installed Etch on two different laptops, one a T42 and the
    other a T43p. On both the encrypted installation worked perfectly and
    both were able to hibernate to encrypted swap and resume without
    trouble. It works for me.

    I think some of the factors that affect this are if the laptop's acpi
    bios is functional or not. My previous laptop suffered from buggy
    acpi problems and I never got suspend to ram to work and I always had
    suspend to disk problems with it. I could only get my previous laptop
    to suspect to disk with swsusp2 and other patches. (Using swsusp2 was
    a lifesaver!) The point here is that the problem may not be the Etch
    installation as such but rather it may be a problem on the specific
    model of machine it is being installed upon. All other things being
    equal some models of laptop may work perfectly while other models of
    laptops will have problems.

    The other place that might cause pproblems is that it is not
    completely obvious how encryption should be installed. First you do
    this and then you do that. It is possible to install the system with
    a less than optimal configuration of encryption and that may also be
    causing problems.

    Let me very tersely describe this process. The first thing is to
    create a physical volume for encryption. That enables a new option to
    configure encrypted filesystems. Then what I think is best is to use
    lvm to manage all of the rest. Therefore I create an lvm partition on
    the newly created encrypted partition. That enables a new option to
    configure lvm. Then create (at least) two logical volumes, one for
    swap and one for everything else. Then assign all of the partitions.
    This creates both swap and filesystem partitions layered through lvm
    layered through the encrypted partition.

    This process enables one single encrypted partition and so a single
    LUKS password at boot time needs to be entered. But it supports
    through lvm as many logical volumes as desired. The Debian kernels
    and mkinitrd are configured to set up the initrd automatically with
    the layers of drivers needed to make this work out of the box.

    It works for me. Your mileage may vary.

    Bob


    --
    To UNSUBSCRIBE, email to debian-laptop-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  8. Re: Swap encryption (via LUKS) and Hibernation (disk suspend)

    On Saturday 05 May 2007 11:56, Bob Proulx wrote:
    > I recently installed Etch on two different laptops, one a T42 and the
    > other a T43p. *On both the encrypted installation worked perfectly and
    > both were able to hibernate to encrypted swap and resume without
    > trouble. *It works for me.


    That is of great relief, thank you. I was wondering how the installer actually
    dealt with setting up encryption. I cannot find any documentation on the
    procedures it takes, as I know that there are different (optimal and not so
    optimal) ways of setting up LUKS.

    Did you also use LVM2 by any chance? I would actually like to have both LVM2
    and LUKS if possible.

    > I think some of the factors that affect this are if the laptop's acpi
    > bios is functional or not. *My previous laptop suffered from buggy
    > acpi problems and I never got suspend to ram to work and I always had
    > suspend to disk problems with it. *I could only get my previous laptop
    > to suspect to disk with swsusp2 and other patches. *(Using swsusp2 was
    > a lifesaver!) *The point here is that the problem may not be the Etch
    > installation as such but rather it may be a problem on the specific
    > model of machine it is being installed upon. *All other things being
    > equal some models of laptop may work perfectly while other models of
    > laptops will have problems.


    >From my experiences, it is almost always based on the machine's hardware. Not

    counting software issues such as the suspend buttons not working or programs
    not invoking the proper command.

    > The other place that might cause pproblems is that it is not
    > completely obvious how encryption should be installed. *First you do
    > this and then you do that. *It is possible to install the system with
    > a less than optimal configuration of encryption and that may also be
    > causing problems.
    >
    > Let me very tersely describe this process. *The first thing is to
    > create a physical volume for encryption. *That enables a new option to
    > configure encrypted filesystems. *Then what I think is best is to use
    > lvm to manage all of the rest. *Therefore I create an lvm partition on
    > the newly created encrypted partition. *That enables a new option to
    > configure lvm. *Then create (at least) two logical volumes, one for
    > swap and one for everything else. *Then assign all of the partitions.
    > This creates both swap and filesystem partitions layered through lvm
    > layered through the encrypted partition.
    >
    > This process enables one single encrypted partition and so a single
    > LUKS password at boot time needs to be entered. *But it supports
    > through lvm as many logical volumes as desired. *The Debian kernels
    > and mkinitrd are configured to set up the initrd automatically with
    > the layers of drivers needed to make this work out of the box.


    Thank you very much for that explanation. It is great news to know that the
    Debian developers created such a fine installer.

    > It works for me. *Your mileage may vary.


    I really hope my mileage will not vary! I am really worried of the
    installation working and even suspend and hibernation working correctly but
    then one day, whether due to upgrade or whatnot, hibernation fails, corrupts
    swap and upon resume, corrupts my data.

  9. Re: Swap encryption (via LUKS) and Hibernation (disk suspend)

    q9u3x4c02@sneakemail.com wrote:
    > Did you also use LVM2 by any chance? I would actually like to have both LVM2
    > and LUKS if possible.


    Yes it is lvm2. I used the debian-install to set it up. lvm2 is the
    default now.

    > > It works for me. *Your mileage may vary.

    >
    > I really hope my mileage will not vary! I am really worried of the
    > installation working and even suspend and hibernation working correctly but
    > then one day, whether due to upgrade or whatnot, hibernation fails, corrupts
    > swap and upon resume, corrupts my data.


    While trying things I have many times had both suspend to memory and
    to disk both fail. I have fsck'd my disks many times. Although it is
    possible to experience filesystem corruption it is a rare thing and
    not something that happens with every crash. I would not fear it as
    an overwhelming problem.

    One clarification though. In my case I was specifically talking about
    suspend to disk working for me. The original question was about
    suspending to disk with an encrypted partition and that was the point
    I was addressing. With my described configuration on the T42 suspend
    to disk with an encrypted partition is working perfectly and I have
    not yet experienced a failure with it.

    But suspend to ram is not quite so good on my T42. While I can
    demonstrate suspend to ram working I cannot do it reliably 100% of the
    time. This is not related to the encrypted partitions. On the T43p
    (gone to a friend) both types of suspend seem to be quite reliable.
    But unfortunately for me I have not quite converged on a good recipe
    for suspend to ram to be 100% reliable. It sometimes works and
    sometimes fails to resume.

    I am still collecting information about it and will eventually be
    posting my own questions to the list about it. But in the meantime I
    have been using suspend to disk with everything encrypted and that has
    not yet failed me.

    Bob


    --
    To UNSUBSCRIBE, email to debian-laptop-REQUEST@lists.debian.org
    with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

  10. Re: Swap encryption (via LUKS) and Hibernation (disk suspend)

    On Saturday 05 May 2007 15:31, bob-at-proulx.com (Bob Proulx) |debian_laptop|
    wrote:
    > But suspend to ram is not quite so good on my T42. *While I can
    > demonstrate suspend to ram working I cannot do it reliably 100% of the
    > time. *This is not related to the encrypted partitions. *On the T43p
    > (gone to a friend) both types of suspend seem to be quite reliable.
    > But unfortunately for me I have not quite converged on a good recipe
    > for suspend to ram to be 100% reliable. *It sometimes works and
    > sometimes fails to resume.
    >
    > I am still collecting information about it and will eventually be
    > posting my own questions to the list about it. *But in the meantime I
    > have been using suspend to disk with everything encrypted and that has
    > not yet failed me.


    Sounds great. For me, suspend to ram failure is not very significant. If it
    should happen, the only thing that may happen is that any unsaved documents
    will be gone and programs will no longer be as they were with suspend to ram.
    That is, it would be as if I were to pull the plug from the system.

    A suspend to disk failure is much worse because if the swap partition data is
    currupted before the laptop resumes, the resuming of the laptop can corrupt
    the data on the hard drive. This does not happen to suspend to ram because
    either ram resumes, fails or is wiped upon reboot (and therefore fails). This
    is why you should never suspend to disk and then try booting from another
    kernel (such as booting from a LiveCD) or device. In the LiveCD example, the
    LiveCD will boot, mount your swap and use it as its own corrupting the data
    that was saved during suspend to disk. When the computer is booted and tries
    to resume the suspend to disk from swap, all hell will break loose. This is
    my understanding after reading documentation on the different suspend
    methods.

  11. Re: Swap encryption (via LUKS) and Hibernation (disk suspend)

    On Saturday 05 May 2007 11:56, Bob Proulx wrote:
    > Let me very tersely describe this process. *The first thing is to
    > create a physical volume for encryption. *That enables a new option to
    > configure encrypted filesystems. *Then what I think is best is to use
    > lvm to manage all of the rest. *Therefore I create an lvm partition on
    > the newly created encrypted partition. *That enables a new option to
    > configure lvm. *Then create (at least) two logical volumes, one for
    > swap and one for everything else. *Then assign all of the partitions.
    > This creates both swap and filesystem partitions layered through lvm
    > layered through the encrypted partition.
    >
    > This process enables one single encrypted partition and so a single
    > LUKS password at boot time needs to be entered. *But it supports
    > through lvm as many logical volumes as desired. *The Debian kernels
    > and mkinitrd are configured to set up the initrd automatically with
    > the layers of drivers needed to make this work out of the box.


    All this was done via the Debian installer, correct?

    Also, you opted to have just one real partition, where everything is encrypted
    even /boot? So I take it you use a USB dongle to boot your system initially?

    Or did you mean having /boot as normal and / as encrypted via LUKS then LVM2
    on top of /, with logical partitions within the LVM2. To put it visually:
    /boot (normal)
    /root (LUKS) -> LVM2 -> multiple parition

    Thank you again for all of your insight.

  12. Re: Swap encryption (via LUKS) and Hibernation (disk suspend)

    q9u3x4c02@sneakemail.com wrote:
    > All this was done via the Debian installer, correct?


    Yes.

    > Also, you opted to have just one real partition, where everything is
    > encrypted even /boot? So I take it you use a USB dongle to boot your
    > system initially?


    For both lvm and for encrypted filesystems /boot needs to be a normal
    filesystem. The initrd will load all of the needed modules and so
    needs to be accessible without those modules. Make it ext2. I made
    mine just a little bit bigger than really required so that I could use
    it as a "drop box" for things like the ipw2200 firmware blobs without
    needing to mount the encrypted partition.

    Also, if the installer tries to load lilo instead of grub then you
    have tripped into a case where "something is wrong" (IMNHO, since I am
    a convert to grub and no longer desire lilo). Start again and check
    everything. When things are right the d-i will install grub.

    > Or did you mean having /boot as normal and / as encrypted via LUKS then LVM2
    > on top of /, with logical partitions within the LVM2. To put it visually:
    > /boot (normal)
    > /root (LUKS) -> LVM2 -> multiple parition


    I should walk through the install procedure once on a test machine and
    capture the process. But I am sure someone will have already done
    that. Once you have been through it then it all makes sense. But the
    first time through can be a little confusing.

    hda1 /boot primary partition (ext2)
    hda5_crypt encrypted partition (logical is my preference, but no matter)
    vg0 lvm2 volume group
    vg0-root logical partition, root of filesystem (ext3 in my case)
    vg0-swap logical partition, swap

    Bob

+ Reply to Thread