Hey magical linux-oracle,
I recently made a full disk encryption on my computer via the debian installer.
I partitioned it like this:
SSD:
– unencrypted part –
Boot - 1GB space, mounting point: /boot
EFI - 512MB space, mounting point: ESP, bootable flag: on
– encrypted part –
Encrypted container with a volume group (vg-1) containing 3 logical volumes:
Root - 50GB space, mounting point: /
Swap - 30GB space, mounting point: swap
Home - Rest of space, mounting point: /home
& Second harddrive fully encrypted with one logical volume and mounting point /mnt/data
The install of linux worked pretty well.
Unfortunately, the hibernation part doesn’t work out of the box. When I press hibernate (or standby), it only goes to the lock screen. How can I solve that issue? (Is it even a good idea to use hibernation on encrypted devices?)
Second thing: As you can see from my setup, I use 2 disks. When I start up my system, I only need to enter my decryption password once (not twice for the 2nd HD) and I see, that my second hard disk seems to be mounted already. It seems that people usually struggle with typing in their passwords twice and want a solution for that. Is it possible, that debian automatically fixed this for me (It’s the same pw for both)?
Thanks!
~sp3ctre
I would need your password to be able to replicate, as well as your mother’s maiden name, city of birth and first pet’s name.
I have this working on Debian like how you have it set up, everything on an encrypted lvm volume, except for boot and efi. Just one disk though. When waking up, it asks for the password like it does during normal bootup. It then restores RAM from the encrypted swap after you type the password. I think it worked out of the box, but it has been a while, so not 100% sure if I had to enable this somehow. Anyway this looks good to me.
If you manually run
systemctl hibernate, does that work? Assuming this also does not work, you need to look at the logs during the failed hibernate attempt. Probably something likesudo journalctl -fand/orsudo dmesg -wH(for kernel logs). Open this up in two terminals, runsystemctl hibernateand observe any errors or warnings.It’s possible this is a hardware/driver issue, i.e. a driver prevents hibernation or fails at it. You may be able to figure out which driver/device is responsible by looking at the logs.
Not sure about Debian, but on Arch Linux, hibernation with FDE works perfectly on my Framework laptop. It took a little to setup; I use a swapfile for my swap. And it exists on my encrypted drive. You know your use case best,I found for my usecase, a separate swap partition (to say nothing about two separate ones) was restrictive and unnecessary. A swapfile works well and lives on an encrypted drive. No need to tinker too much beyond that. Check out the Arch wiki, it might not align 100% with Debian but those wikis are super informative and can teach you how the process works so you can apply to Debian.
https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption#With_suspend-to-disk_support
You have to use two swaps if you already use one swap, because one will be used when the system is on, but the second will be used to set the RAM content + the 1st content into SWAP (if any), otherwise, it would fail.
Then, find the hibernation swap uuid:
sudo swapon --show lsblk -o name,uuidThen
# /etc/default/grub GRUB_CMDLINE_LINUX_DEFAULT="resume=UUID=xxxx" #/etc/initramfs-tools/conf.d/resume resume=UUID=xxxx # bash sudo update-grub sudo update-initramfs -k all -u # to hibernate on lid switch # /etc/systemd/logind.conf HandleLidSwitch=hibernateThen reboot :)
Note: this method works wonderfully, I use it personally. Just be aware that the hibernation swap content is not encrypted, so you’re vulnerable if your laptop is stolen while hibernated.
It should work with just one swap (encrypted), unless the swap is full at the moment of hibernation attempt.
mkinitramfs-generated script should ask for the LUKS password, then it would start loading the pages.Note that hibernation in general may fail to work (regardless of encryption) if, for example, a signed kernel and Secure Boot is used.
Hmm, doesn’t this undermine the whole purpose of encryption? If I understand that right, there will always be unencrypted stuff of me? Also when I completely shutdown?
You can do encrypted swap as well. If you use the same passphrase you can install
decrypt_keyctland use it as described here. It will cache the passphrase and send it to every other LUKS volume that needs decrypting so you have to type it only once. This is what I’m currently using and my root is on ZFS on LUKS.Another option which I haven’t used is to have a small volume that only stores your LUKS keys as files, then your LUKS volumes reference those files as keys, then you decrypt only that volume with a passphrase upon boot.
Another option is to use a swap file. I used to run Ubuntu LTS on LUKS on LVM. That is disk > EFI and LVM partitions > LVM volume boot, LVM volume for LUKS > root filesystem inside LUKS > swapfile in that root filesystem. Upon boot, GRUB is able to read the Linux kernel straight from the boot volume on LVM. Boots the kernel. You get a prompt to decrypt the LUKS volume where the root filesystem is. Once decrypted, the kernel can access the swapfile if it needs to resume from it. If I didn’t use ZFS, I’d be using this scheme as it’s superbly flexible. Growing the volumes and filesystems for larger storage is easy. Adding redundancy via LVMRAID is easy. Changing the swap size is easy. Hibernation works.
I have it working with just one LUKS volume. The tricky part is, that the UUIDs of the decrypted and encrypted device differ. I would have to look at my setup to be sure (it has been more than a year I set this up and I am currently not on my computer).
Yes. Unfortunately FDE hibernation is not well supported and in fact Debian used to disable it in the kernel (though that night have changed).
IMHO is a big oversight because encrypted swap hibernation is safer than sleep.
hibernation is in general not supported with full disk encryption, and is not recommended. you can do it but it’s a hassle and will lead to hangs on wakeup if you don’t configure it correctly. i gave up on it.
