Linux

Encrypted Swap

Encrypted swap setup on Debian bullseye/bookworm

Prerequisites

Ensure the following are installed:

  • lvm2
  • cryptsetup

Disable and overwrite existing swap partition

This is only necessary if the partition was previously used for a swap partition.

  1. Use fdisk to determine which partition is the swap partition. For rest of this guide, this is represented by /dev/sdaX.
  2. swapoff /dev/sdaX
  3. Comment out the swap line in /etc/fstab
  4. Overwrite the existing swap partition data
    dd if=/dev/urandom of=/dev/sdaX

Set up LVM on the partition

  1. Use fdisk to change partition type to Linux LVM (type code is 8E).
  2. pvcreate /dev/sdaX
  3. vgcreate swaps /dev/sdaX
  4. Find out the available size of the volume group using vgdisplay (example: 976.00 MiB).
  5. lvcreate -L 976.00M -n swap swaps

Set up encryption

  1. Add to /etc/crypttab:
    cryptswap /dev/mapper/swaps-swap /dev/urandom swap
  2. Edit fstab:
    /dev/mapper/cryptswap none swap sw 0 0
    This should be as simple as changing the first item in the old fstab swap line
  3. Disable hibernate (can't restore from a randomly encrypted swap!)
    systemctl mask hibernate.target hybrid-sleep.target
    rm /etc/initramfs-tools/conf.d/resume
    update-initramfs -u
  4. Reboot and verify with free that the swap is available.

Sources:

https://www.howtogeek.com/howto/40702/how-to-manage-and-use-lvm-logical-volume-management-in-ubuntu/
https://www.supertechcrew.com/linux-create-encrypted-swap/
https://serverfault.com/a/1031460
https://unix.stackexchange.com/questions/590518/boot-blocks-with-gave-up-waiting-for-suspend-resume-device

Blix theme adapted by David Gilbert, powered by PmWiki