Bug#397887: [Pkg-cryptsetup-devel] Bug#397887: resume support renders system unbootable

David Härdeman david at hardeman.nu
Sat Nov 11 12:39:43 CET 2006

On Fri, Nov 10, 2006 at 01:43:05PM +0100, martin f krafft wrote:
>also sprach David Härdeman <david at hardeman.nu> [2006.11.10.1331 +0100]:
>> The hook should warn about these situations though and then skip
>> adding the resume partition details to the initramfs image...I'll
>> fix that
>That's what I meant. Thanks for reading through my blather.

Ok, I've committed fixes for both your bugs to the SVN repo. Could you 
please test the package? Either by downloading it from:


or, if you don't want to install deb's built by non-DD's, get the source 
yourself from the svn repo (svn://svn.debian.org/pkg-cryptsetup/)

>> On a related note, if you do want to be able to resume from swap
>> without needing extra passphrases, the solution that I spoke with
>> Erich about (which I have working locally) is to first setup the
>> root partition (using e.g. LUKS) and then derive a key for the
>> swap partition using a hash of the root partition key. This would
>> give the swap partition a static key which does not need to be
>> stored in the image, thus allowing (u)swsusp.
>Okay, but why a hash? Why not just the same passphrase then?

Two reasons:

1) Most importantly, I'm a lazy bastard. The easiest way to get the root 
   key from an independent script is to call "dmsetup table" which 
   provides the key as a hex-ascii string which would need to be 
   converted back to binary representation.

2) Paranoia, I'm not sure it's a good idea to have several pieces of 
   "known" source data (i.e. superblocks) encrypted with the same key. 
   Not something I can back up with any authority or research of course 

The script is very simple, I've attached it as an example. If you want 
to use it, just plop it somewhere (let's say under /root) and make it 

The change /etc/crypttab so that it says something like:
cryptroot /dev/hda1 none      luks
cryptswap /dev/hda2 cryptroot keyscript=/root/decrypt_derived,hash=sha256,size=256,cipher=aes-cbc-essiv:sha256

The keyscript will be copied into the initramfs image at creation time 
and after that you'll have a static key for swap without having to enter 
two passphrases.

I'm planning to commit it once I've written some more documentation for 
it (so it might be post-Etch).

David Härdeman
-------------- next part --------------

if [ -z "$1" ]; then
	echo "$0: must be executed with a crypto device as argument" >&2
	exit 1

if ! device=$(dmsetup table 2> /dev/null | grep "$1"); then
	echo "$0: failed to read device-mapper table" >&2
	exit 1

if [ -z "$device" ]; then
	echo "$0: device $1 doesn't exist" >&2
	exit 1

if [ "$(echo "$device" | wc -l)" -ne 1 ]; then
	echo "$0: more than one device match $1" >&2
	exit 1

type=$(echo -n "$device" | cut -d' ' -f4)
if [ "$type" != "crypt" ]; then
	echo "$0: device $1 is not a crypto device" >&2
	exit 1

echo -n "$device" | cut -d' ' -f6
exit 0

More information about the Pkg-cryptsetup-devel mailing list