What
I have my swap and /home partitions Luks encrypted and my /tmp partition encrypted with /dev/random. At boot---maybe once a month---I'm prompted first for the swap password, then for the /home password. Hibernation works as usual (with Fedora 8 in my experience that is
absolutely perfectly). Early in the "thaw" process, I'm prompted for the swap partition password.
Why
My admittedly superficial understanding is that whenever you suspend to disk, aka hibernate, without encryption the image is written in such a way that someone expert in nefarious matters can easily extract the passphrases for encrypted partitions, ssh (as maintained by your ssh-agent), mail accounts, and whatever else might have been open when you suspended. Unless it's been overwritten by swapping in the meantime, this information remains in the swap partition when you shut down.
How
There are several relevant bugs on the redhat bugzilla. What I did, and detail below, uses the improved mkinitrd-6.0.19-5.fc8 referenced in
https://bugzilla.redhat.com/show_bug.cgi?id=124789#c118.
Another approach, which I haven't tried, I understand, works with the mkinitrd-6.0.19-4.fc8 that ships with Fedora 8. There is a patch to make this work better in
https://bugzilla.redhat.com/show_bug.cgi?id=434656.
My understanding from browsing bugzilla is that Fedora 9 will have a swap encryption feature that prompts for a throw-away password when you go into hibernation, then requires that password to thaw. As Joe EndUser, the setup that I'm describing here seems more convenient. I almost never reboot, but hibernate and suspend to ram all of the time.
Howto
In brief
- Downlaod and install the source rpm mkinitrd-6.0.19-5.fc8.src.rpm from
http://fedorapeople.org/~timn/crypto_root/. I needed the i686 version for my laptop. I believe there is a binary rpm for x86_64 among Tim Niemueller's files at this site.
- Make your swap partition Luks encrypted and make the relevant entries in /etc/crypttab and /etc/fstab
- Save your current initrd kernel image and create a new one that is aware of your encrypted swap partition.
In more detail:
Set up to build rpms
Code:
#yum install rpm-build mock
I needed the following packages to compile and build the rpm. You may need more if you haven't compiled things from source before. If you get errors when you build the rpm later, just look at what's missing and use "yum provides ..." to figure out how to get it.
Code:
#yum install e2fsprogs-devel parted-devel libdhcp4client-devel libdhcp6client-devel libdhcp-devel device-mapper-devel python-devel
In your home directory as an ordinary user, configure for building rpms:
Code:
$echo '%_topdir %(echo $HOME)/rpmbuild' > .rpmmacros
$mkdir rpmbuild
Download the source rpm
Download mkinitrd-6.0.19-5.fc8.src.rpm from
http://fedorapeople.org/~timn/crypto_root/.
Then as root run
Code:
#rpm -ivh mkinitrd*src.rpm
This puts the source packages in /usr/src/redhat.
As ordinary user, copy the source files into the working direcory:
Code:
$cp -a /usr/src/redhat/* rpmbuild
As an ordinary user, cd into your rpmbuild directory and run the followong command. Replace "--target=i686" with your architecture, if it's not what you need. (See "man rpmbuild" for all the details.)
Code:
$rpmbuild -ba --target=i686 ~/rpmbuild/SPECS/mkinitrd.spec
If everything goes well, you'll get some warnings but no errors, and several shiney new rpms in ~/rpmbuild/RPMS/i686. To install, become root, cd into that directory and run
Code:
#rpm -e mkinitrd-6.0.19-4.fc8
#rpm --force -Uvh mkinitrd-6.0.19-5.fc8.i686.rpm nash-6.0.19-5.fc8.i686.rpm
Though the above process creates other rpms, I've installed just these two on two computers successfully.
Set up encrypted swap
Kill gdm with "cntl-alt-backspace" and go to a text tty with "cntl-alt-F1". Log in as root.
If you accepted the Fedora 8 installation default, your swap partition is /dev/VolGroup00/LogVol01. Check with "cat /proc/swaps" to be sure.
Then turn off swapping:
Create a luks partition:
Code:
# cryptsetup --verbose --verify-passphrase luksFormat /dev/VolGroup00/LogVol01
Open it:
Code:
#cryptsetup luksOpen /dev/VolGroup00/LogVol01 swap0
If everything has gone right, it should appear as "/dev/mapper/swap0":
Now format it for swapping:
Code:
#mkswap /dev/mapper/swap0
Add an entry in /etc/crypttab for it. If you haven't encrypted other partitions, you will have to create this file, rather than just add a line to it.
Code:
swap0 /dev/VolGroup00/LogVol01 none swap
Comment out the current swap partition entry in /etc/fstab and add the line
Code:
/dev/mapper/swap0 swap swap defaults 0 0
Turn your newly encrypted swapping on:
Create a new kernel initrd image
This is the scary part. Just in case something goes wrong, be sure to have an installation or rescue disk handy.
I'm running the 32bit kernel 2.6.23-15.137.fc8 on my laptop. Check "uname -r" for the kernel you are running and use that in place of "2.6.23-15.137.fc8." in these instructions.
Still as root on tty1:
Code:
#cd /boot
#mv initrd-2.6.23-15.137.fc8.img initrd-2.6.23-15.137.fc8.img.save
#mkinitrd --fstab=/etc/fstab initrd-2.6.23-15.137.fc8.img 2.6.23-15.137.fc8
I've done this on two computers and had no trouble at all, but if rebooting fails, boot using your rescue disk to replace the new initrd image you've just created with the "initrd...img.save" you saved. Beware (or be glad, as the case may be) that when you install a new kernel, it will use your new mkinitrd.
Finally, take a deep breath and
If everything goes well, the first prompt you get for a Luks passphrase is for the swap partition.
Linear Mode
