|
Size: 7904
Comment:
|
Size: 8344
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 12: | Line 12: |
| * Now sharney, who uses Linux Mint, has found [[http://forums.linuxmint.com/viewtopic.php?f=42&t=18743&p=190446#p190446| a way to solve this problem]] (on Mint, of course). The idea is to replace the random key with a password of your choice (you could use the same password as your login, but see Disclaimers & Warnings below, point 6). | * Now sharney, who uses Linux Mint, has found [[http://forums.linuxmint.com/viewtopic.php?f=42&t=18743&p=190446#p190446| a way to solve this problem]] (on Mint, of course). The idea is to replace the random key with a password of your choice (you could use the same password as your login, but see [[EnableHibernateWithEncryptedSwap#Disclaimers_and_Warnings|Disclaimers and Warnings]] below, point 6). |
| Line 14: | Line 14: |
| * I thought I'd see whether or not I could get this working on Ubuntu, which is a little different from both Mint (despite Mint's origins in Ubuntu) and sharney, who uses full-disk encryption. I succeeded! Hence, this how-to. * Of course, as new information comes to light or as errors are discovered, I shall update this first post. |
* Ubuntu is a little different from both Mint (despite Mint's origins in Ubuntu) and from sharney's situation, who uses full-disk encryption. |
| Line 20: | Line 18: |
| 1. This tutorial presumes that you know how to use the Terminal. (This how-to is quite advanced, so if you don't know how to use the terminal, this how-to is not for you.) 1. This procedure was tested both on a virtual machine using Virtual Box and on a native installation. The '''Virtual Box''' had a strange problem — when resuming, the screen remained black, although the applications were still open. But the '''native installation''' worked correctly. 1. This procedure was tested on '''Ubuntu 12.04''' (fully updated). Do not assume it will work on other versions/distributions. |
1. This tutorial uses the Terminal. If you do not know how to use it, please find out before proceeding. 1. This procedure was tested both on a virtual machine using Virtual Box and on a native installation. The '''Virtual Box''' had a strange problem — when resuming, the screen remained black, although the applications were still open and working. But the '''native installation''' worked correctly. 1. This procedure was tested on '''Ubuntu 12.04''' (fully updated). Do not assume it will work on other versions or distributions. |
| Line 31: | Line 29: |
| * You will be replacing that random key method with a fixed key using a password of your choice. | * You will be replacing that random key method with a fixed key using a password of your choice. '''This password must be typed into the computer every time it is started or resumed from hibernation''', whether by you or a different user. |
| Line 39: | Line 37: |
| 1. Your computer must already be set up for encryption. If not, follow instructions [[PostInstallationEncryption|here]] first. 1. Think of a password (or passphrase) for your swap partition. You ''can'' use the same as your log-in — but don't do that if other people have accounts on your computer! (See Disclaimers & Warnings point 6.) |
1. Your computer must already be set up for encryption. If not, follow instructions in [[PostInstallationEncryption|Post Installation Encryption]] first. 1. Think of a password (or passphrase) for your swap partition. You can use the same as your log-in — but don't do that if other people have accounts on your computer! (See [[EnableHibernateWithEncryptedSwap#Disclaimers_and_Warnings|Disclaimers and Warnings]] point 6.) |
| Line 44: | Line 42: |
| You should see output similar to{{{ | You should see output similar to:{{{ |
| Line 47: | Line 45: |
| }}}If output is dissimilar to example given above, the partition is not encrypted. Next run{{{ |
}}}If you do not see `cryptswap1`, the partition is either unencrypted or is not encrypted to Ubuntu's standard. 1. {{{ |
| Line 60: | Line 58: |
| }}}Make a note of the '''device'''. The one in the example says /dev/sda1 — but yours could say something else, e.g. /dev/sdb3. | }}}Make a note of the '''device'''. The one in the example says `/dev/sda1` — but yours could be something else, e.g. `/dev/sdb3`. |
| Line 72: | Line 70: |
| 1. Set up swap again, but this time with your chosen passphrase. The command will prompt you, twice, for your passphrase. '''Replace /dev/sdXN''' with the device from Preparation point 3.{{{ | 1. Set up swap again, but this time with your chosen passphrase. The command will prompt you, twice, for your passphrase. '''Replace `/dev/sdXN`''' with the device from [[EnableHibernateWithEncryptedSwap#Preparation|Preparation]] point 4. (The following command wraps on the browser screen, but it is a single command that you need to type.){{{ |
| Line 79: | Line 77: |
| Enter LUKS passphrase:] | Enter LUKS passphrase: |
| Line 82: | Line 80: |
| Enter your passphrase.<<BR>> 1. Re-map the swap. '''Replace /dev/sdXN''' with the device from Preparation point 3.{{{ sudo cryptsetup luksOpen ''/dev/sdXN'' cryptswap1 |
Type `YES` and enter your passphrase twice as prompted. 1. Re-map the swap. '''Replace `/dev/sdXN`''' with the device from [[EnableHibernateWithEncryptedSwap#Preparation|Preparation]] point 4.{{{ sudo cryptsetup luksOpen /dev/sdXN cryptswap1 |
| Line 89: | Line 87: |
| 1. Turn on the swap (so you have swap again).{{{ | 1. Turn on the swap (so it starts working again).{{{ |
| Line 92: | Line 90: |
| 1. Check that it is working. You should see output similar to this (the numbers may differ).{{{ | 1. Check that it is working.{{{ |
| Line 94: | Line 92: |
| }}}You should see output similar to this (the numbers may differ).{{{ | |
| Line 97: | Line 96: |
| 1. Edit (using gksudo with your favourite editor - default for Ubuntu is gedit) the file /etc/crypttab. Comment out the existing line by adding # to the front (or just delete the line), and add the following line. '''Replace /dev/sdXN''' with the device from Preparation point 3.{{{ cryptswap1 ''/dev/sdXN'' none luks |
1. Using `gksudo` with your favorite editor (the default for Ubuntu is `gedit`), edit the file `/etc/crypttab`. Comment out the existing line by adding `#` to the front (or just delete the line), and add the following line. '''Replace `/dev/sdXN`''' with the device from [[EnableHibernateWithEncryptedSwap#Preparation|Preparation]] point 4.{{{ cryptswap1 /dev/sdXN none luks |
| Line 100: | Line 99: |
| 1. Edit the file /usr/share/initramfs-tools/scripts/local-top/cryptroot. Search for the following line (should be line 288, but this could change over time):{{{ | 1. Edit the file `/usr/share/initramfs-tools/scripts/local-top/cryptroot`. Search for the following line (should be line 288, but this could change over time):{{{ |
| Line 102: | Line 101: |
| }}}Skip to the next blank line (should be 291, ''before'' FSTYPE=''), and insert the following line. '''Replace /dev/sdXN''' with the device from Preparation point 3.{{{ /sbin/cryptsetup luksOpen ''/dev/sdXN'' cryptswap1 |
}}}Skip to the next blank line (should be 291, '''before''' `FSTYPE=''`), and insert the following line. '''Replace `/dev/sdXN`''' with the device from [[EnableHibernateWithEncryptedSwap#Preparation|Preparation]] point 4.{{{ /sbin/cryptsetup luksOpen /dev/sdXN cryptswap1 |
| Line 105: | Line 104: |
| 1. Edit the file /etc/acpi/hibernate.sh. At the first blank line, insert the following line.{{{ | 1. Edit the file `/etc/acpi/hibernate.sh`. At the first blank line, insert the following line.{{{ |
| Line 108: | Line 107: |
| 1. Edit the file /etc/initramfs-tools/conf.d/resume. ''Replace'' the existing RESUME line with the following line.{{{ | 1. Edit the file `/etc/initramfs-tools/conf.d/resume`. '''Replace''' the existing `RESUME` line with the following line.{{{ |
| Line 114: | Line 113: |
| 1. Ubuntu disables the ''Hibernate'' option in the menu. Restore it as follows. Create (using gksudo with your favourite editor) the file: /etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla | 1. Ubuntu disables the Hibernate option in the menu. Restore it as follows. Create (using `gksudo` with your favorite editor) the file: <<BR>>`/etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla`<<BR>> |
| Line 124: | Line 123: |
| 1. Reboot your machine. 1. You will receive a prompt for swap's encryption passphrase. Remember that your mouse does not work at this point. Type your passphrase and press Enter. {{attachment:Correct cryptswap1 passphrase.png}} If you mistype a passphrase three times, the system will boot anyway but without your swap enabled. Repeat the How-To if you have forgotten your passphrase. {{attachment:Incorrect cryptswap1 passphrase.png}} After correctly typing your passphrase. {{attachment:Correct cryptswap1 passphrase.png}} |
1. Reboot your machine. 1. You will receive a prompt for swap's encryption passphrase. Remember that your mouse does not work at this point. Type your passphrase and press Enter. <<BR>>{{attachment:Correct cryptswap1 passphrase.png}} 1. If you mistype a passphrase three times, the system will boot anyway but without your swap enabled. Repeat the How-To if you have forgotten your passphrase. <<BR>>{{attachment:Incorrect cryptswap1 passphrase.png}} 1. After correctly typing your passphrase: <<BR>>{{attachment:Correct cryptswap1 passphrase.png}} |
| Line 140: | Line 130: |
| Either: * Use ''Hibernate'' from the shut-down menu Or: * Press Alt-F2 and type{{{ |
* Either use Hibernate from the shut-down menu; or * Press Alt-F2 and type{{{ |
| Line 152: | Line 137: |
| Originally posted [[ubuntuforums.org/showthread.php?t=1986821|The Ubuntu Forums (ubuntuforums.org)]] | Originally posted [[http://ubuntuforums.org/showthread.php?t=1986821|The Ubuntu Forums (ubuntuforums.org)]] |
Enable Hibernate With Encrypted Swap
Raison d'Etre
- Many people have asked how to get hibernation to work with encrypted folders. The problem is that the swap partition is also encrypted, but with a random key, so on restarting there is no way to resume.
Now sharney, who uses Linux Mint, has found a way to solve this problem (on Mint, of course). The idea is to replace the random key with a password of your choice (you could use the same password as your login, but see Disclaimers and Warnings below, point 6).
- Ubuntu is a little different from both Mint (despite Mint's origins in Ubuntu) and from sharney's situation, who uses full-disk encryption.
Disclaimers and Warnings
- This tutorial uses the Terminal. If you do not know how to use it, please find out before proceeding.
This procedure was tested both on a virtual machine using Virtual Box and on a native installation. The Virtual Box had a strange problem — when resuming, the screen remained black, although the applications were still open and working. But the native installation worked correctly.
This procedure was tested on Ubuntu 12.04 (fully updated). Do not assume it will work on other versions or distributions.
Canonical does not support this function (yet), so use it at your own risk.
- Please follow the instructions carefully, otherwise you may find your system unable to boot (but you can recover with the Recovery Option or a Live CD).
If more than one person uses your machine, every user will need to know the encryption password for the swap.
Explanation
- Your existing encrypted swap partition uses a random key, generated each time you boot.
You will be replacing that random key method with a fixed key using a password of your choice. This password must be typed into the computer every time it is started or resumed from hibernation, whether by you or a different user.
- It is possible to replace the password with a file, meaning that you wouldn't have to remember an extra password — but that file would be visible to anyone with physical access to your computer (e.g. via a Live USB).
- If you forget your password, you will still be able to boot (after trying three times), but you won't have a swap partition. However, you can repeat this How-To to set it up again, so it's not a big deal.
Preparation
Your computer must already be set up for encryption. If not, follow instructions in Post Installation Encryption first.
Think of a password (or passphrase) for your swap partition. You can use the same as your log-in — but don't do that if other people have accounts on your computer! (See Disclaimers and Warnings point 6.)
Find out which is your encrypted swap partition.
swapon -s
You should see output similar to:
Filename Type Size Used Priority /dev/mapper/cryptswap1 partition 1998844 0 -1
If you do not see cryptswap1, the partition is either unencrypted or is not encrypted to Ubuntu's standard.
sudo cryptsetup status cryptswap1
Output should be similar to
/dev/mapper/cryptswap1 is active and is in use. type: PLAIN cipher: aes-cbc-essiv:sha256 keysize: 256 bits device: /dev/sda1 offset: 0 sectors size: 3997696 sectors mode: read/write
Make a note of the device. The one in the example says /dev/sda1 — but yours could be something else, e.g. /dev/sdb3.
Back up.
How to Set Up Hibernation
Turn off swap.
sudo swapoff /dev/mapper/cryptswap1
Undo the existing mapping.
sudo cryptsetup luksClose /dev/mapper/cryptswap1
Set up swap again, but this time with your chosen passphrase. The command will prompt you, twice, for your passphrase. Replace /dev/sdXN with the device from Preparation point 4. (The following command wraps on the browser screen, but it is a single command that you need to type.)
sudo cryptsetup luksFormat --cipher aes-cbc-essiv:sha256 --verify-passphrase --key-size 256 /dev/sdXN
Output should be:
WARNING! ======== This will overwrite data on /dev/sda1 irrevocably. Are you sure? (Type uppercase yes): Enter LUKS passphrase: Verify passphrase:
Type YES and enter your passphrase twice as prompted.
Re-map the swap. Replace /dev/sdXN with the device from Preparation point 4.
sudo cryptsetup luksOpen /dev/sdXN cryptswap1
Set up the partition as swap.
sudo mkswap /dev/mapper/cryptswap1
Turn on the swap (so it starts working again).
sudo swapon --all
Check that it is working.
swapon -s
You should see output similar to this (the numbers may differ).
Filename Type Size Used Priority /dev/mapper/cryptswap1 partition 1996796 0 -1
Using gksudo with your favorite editor (the default for Ubuntu is gedit), edit the file /etc/crypttab. Comment out the existing line by adding # to the front (or just delete the line), and add the following line. Replace /dev/sdXN with the device from Preparation point 4.
cryptswap1 /dev/sdXN none luks
Edit the file /usr/share/initramfs-tools/scripts/local-top/cryptroot. Search for the following line (should be line 288, but this could change over time):
message "cryptsetup: unknown error setting up device mapping"
Skip to the next blank line (should be 291, before FSTYPE=''), and insert the following line. Replace /dev/sdXN with the device from Preparation point 4.
/sbin/cryptsetup luksOpen /dev/sdXN cryptswap1
Edit the file /etc/acpi/hibernate.sh. At the first blank line, insert the following line.
DEVICE='/dev/mapper/cryptswap1'
Edit the file /etc/initramfs-tools/conf.d/resume. Replace the existing RESUME line with the following line.
RESUME=/dev/mapper/cryptswap1
Register these changes.
sudo update-initramfs -u -k all
Ubuntu disables the Hibernate option in the menu. Restore it as follows. Create (using gksudo with your favorite editor) the file:
/etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla
Fill the file with the following text and save.[Re-enable hibernate by default] Identity=unix-user:* Action=org.freedesktop.upower.hibernate ResultActive=yes
New Swap First Time Use
- Reboot your machine.
You will receive a prompt for swap's encryption passphrase. Remember that your mouse does not work at this point. Type your passphrase and press Enter.
If you mistype a passphrase three times, the system will boot anyway but without your swap enabled. Repeat the How-To if you have forgotten your passphrase.
After correctly typing your passphrase:
How to Hibernate
- Either use Hibernate from the shut-down menu; or
Press Alt-F2 and type
gksudo pm-hibernate
(If you do this from a terminal, you can use sudo instead of gksudo)
Once your machine has shut down, restart. Did your programs resume normally? If so, hibernate and resume work!
Originally posted The Ubuntu Forums (ubuntuforums.org)