Bug#397887: [Pkg-cryptsetup-devel] Bug#397887: resume support renders system unbootable

David Härdeman david at hardeman.nu
Fri Nov 10 13:31:41 CET 2006 

On Fri, November 10, 2006 12:10, David Härdeman said:
> On Fri, November 10, 2006 10:34, martin f krafft said:
>> As of late, cryptsetup figures out what swap device I need to resume
>> from disk and tells initramfs to also initialise that device even
>> before root is brought up.
>>
>> The problem is quite simply that some of us have previously
>> configured the swap device with a random passphrase, or a keyfile
>> stored somewhere in /etc. Now, all of a sudden, we're expected to
>> enter the key during initramfs? I am sorry, I cannot remember 2048
>> bytes of key material, nor would I remember what random string the
>> kernel used to set up the swap device before the latest cryptsetup
>> upgrade.
>
> You're using the "derive-passphrase-from-another-crypto-mapping" thing
> that I mentioned earlier in private email correspondence, right?

Sorry, I'm confused, that was a conversation I had with Erich Schubert.

>> My crypttab says
>>
>>  cr_hda2 /dev/hda2 /etc/keys/hda2.luks luks
>>
>> cryptsetup should ensure that /etc/keys/hda2.luks is available as
>> such during initramfs. If the key is specified as /dev/urandom,
>> cryptsetup must react differently and prompt the user for a new,
>> static passphrase.

It can't provide you with the keyfile during boot because that would
require  the keyfile to be stored inside the initramfs image unencrypted.

Similarly, if you have a random key, there is no way the resume would work
so a resume partition shouldn't be specified in the relevant scripts.

The hook should warn about these situations though and then skip adding
the resume partition details to the initramfs image...I'll fix that

On a related note, if you do want to be able to resume from swap without
needing extra passphrases, the solution that I spoke with Erich about
(which I have working locally) is to first setup the root partition (using
e.g. LUKS) and then derive a key for the swap partition using a hash of
the root partition key. This would give the swap partition a static key
which does not need to be stored in the image, thus allowing (u)swsusp.

-- 
David Härdeman

More information about the Pkg-cryptsetup-devel mailing list