[pkg-cryptsetup-devel] Bug#669861: Bug#669861: cryptsetup: Unable to select correct swap device

Jonas Meurer jonas at freesources.org
Sun Apr 22 11:07:57 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Rodolfo,

Am 21.04.2012 17:26, schrieb Rodolfo García Peñas:
> the cryptroot initramfs hook script searches for resume devices in
> the following files. Please send the content of all of them:
> 
> /etc/uswsusp.conf
> 
>> The important part is:
> 
>> resume device = /dev/dm-1

mh, I've no idea how uswusp detects the resume device, but apparently
there's something wrong. did you try 'dpkg-reconfigure uswsusp' yet?
maybe /dev/dm-1 was correct in the past, and your setup changed in the
meantime?

> /etc/initramfs-tools/conf.d/resume
> 
>> Is here :-)
> 
>> RESUME=UUID=81c6f99f-d571-497c-a6db-759f4beb0b2d

all right, that's the reason why cryptroot initramfs hook detects a
second resume device. I've a gut feeling that something's wrong with
your setup.

what's the content of this file after 'dpkg-reconfigure initramfs-tools'?

And more importantly: you have 'luks,swap' as options to your
encrypted swap device in /etc/crypttab, right? The option 'swap'
results in cryptdisks scripts running 'mkswap' over the device on
every boot. This is not required and indeed wrong for your setup.

In general, you've two options for encrypted swap:

1/ use a random key (e.g. /dev/urandom) for decryption, and recreate
   the swap partition on every boot. this is what the 'swap' option in
   crypttab(5) is for. it has the advantage of more security, but
   doesn't support resume from this device - as there's no consistent
   encryption key and as a result no way to restore the suspend image
   for resume.

2/ use a consistent key for decryption. this is required for suspend/
   resume functions. and this is what you're using. in that case you
   don't need to rerun 'mkswap' over the unlocked crypto-swap every
   time. as a result, the 'swap' option to crypttab(5) is not needed
   in that case.

I suggest that you read sections 8 & 9 of the cryptroot initramfs
documentation in /usr/share/doc/cryptsetup/README.initramfs.gz.

I'm still curious whether there's a real bug in the package, or
whether this is merely a setup issue on your side. Thus it would be
great if you could answer my questions above.

Regards,
 jonas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPk+aGAAoJEFJi5/9JEEn+iTsP/AkYfVhtnci1ZF0qD2c//qDc
+Edk1bXScFGZYmYdZfAUOIrzDUjuC2RQYiwhRtqs/iRFMAX1NMX24jKp9BtpFZCC
AUPWjaHrrCxdTTPqVmW4+yujP5X4egg1QULV68GwfK44q3RVmBVkyhZSqkWAdjkd
3C6ywh2lb5DDwCwHJfQ/O7dQOttEGfFj3niFTxiOiGiA4kbkUK6OzxNW6qvrarK/
xAYy4xMi5YQdmIUrQnk/wyXHCjM2bg3JpIkS6hxTs7T58veDpyJd/fl1TkRsRdf+
Acy277OhXIWqr+aTf4JJKuIdaF3BIDn0S2A40Ftfh0fQBVfEman8VCSA5v8jfFTX
kwpvRh8vV2G3Qgo8yPkr7M2E34Eu+ytt2+7pYE/E3rV7v6dn64dfdzkeW2YnNmga
eXiqrc4TIOuIRzEwsQNkrFBZUXmpGRBGZ7dWqakZ2IMQiZvbyuDoNOtrg8LXsRBm
KZvmCGwqAicNkcB9PLqzOwSVI5D4trQO9eiigGNbJBsetZj7XnKDCgwm8hYZrIl3
t85YLfU375DHaYxDtsd+Y6AuMEDPDjuz/8l/39jgiyYXv+/OR1SbF3DZHDYdUkko
540YY6hhJWXx3xy6GKikx+srExliTrpW9dKGdFZwAvvN8ne+3K5T+mHAS9nG6c18
A7iWnxUMDurg19X502sr
=exCk
-----END PGP SIGNATURE-----

More information about the pkg-cryptsetup-devel mailing list