Alessandro Dotti Contra

Linux/Unix DevOps


Encrypted swap partition

Ecrypting the swap partition is strongly suggested if you already had encrypted the /home partition, and it is mandatory if you plan to use the suspend-to-disk facility. This is the procedure on a Debian system.

Encrypting the swap partion

Assuming /dev/sda5 is the swap partition, the first thing is create the encrypted device. First we need to install the basic tools:

#> apt install initramfs-tools cryptsetup

Then we turn the current swap partition off, create the actual, encrypted device and create the new swap over it:

#> swapoff /dev/sda5
#> cryptsetup luksFormat /dev/sda5
#> cryptsetup open /dev/sda5 cswap
#> mkswap /dev/mapper/cswap

Finally, let the system be aware of your encryptd swap partition. Edit /etc/crypttab and add:

cswap	UUID=<...>	none	luks

Then edit /etc/fstab:

/dev/mapper/cswap	none	swap	sw	0	0

Activate cswap in initramfs

These steps are necessary to enable suspend-to-disk.

Create /etc/initramfs-tools/conf.d/cryptroot and type:

target=cswap,source=UUID=<...>,key=none

Create /etc/initramfs-tools/conf.d/resume and type:

RESUME=/dev/mapper/cswap

Then, update initramfs:

#> update-initramfs -u

Finally, install uswsusp:

#> apt install uswsusp

and you are good to go.