Bug#765594: systemd: Attempting to hibernate permanently breaks encrypted swap partition

Rebecca N. Palmer rebecca_palmer at zoho.com
Thu Oct 16 18:31:30 BST 2014 

If I mount the swap at the initramfs prompt and ignore systemd's 
subsequent complaints (below), hibernation works.

$ sudo systemctl status systemd-cryptsetup at sda4_crypt.service -l
● systemd-cryptsetup at sda4_crypt.service - Cryptography Setup for sda4_crypt
    Loaded: loaded (/etc/crypttab)
    Active: failed (Result: exit-code) since Thu 2014-10-16 17:36:49 
BST; 1min 51s ago
      Docs: man:crypttab(5)
            man:systemd-cryptsetup-generator(8)
            man:systemd-cryptsetup at .service(8)
   Process: 464 ExecStop=/lib/systemd/systemd-cryptsetup detach 
sda4_crypt (code=exited, status=1/FAILURE)
   Process: 438 ExecStartPost=/sbin/mkswap /dev/mapper/sda4_crypt 
(code=exited, status=1/FAILURE)
   Process: 418 ExecStart=/lib/systemd/systemd-cryptsetup attach 
sda4_crypt /dev/disk/by-uuid/f6ddec99-21a9-42f5-bf22-aa15584334a9 none 
luks,swap (code=exited, status=0/SUCCESS)
  Main PID: 418 (code=exited, status=0/SUCCESS)

Oct 16 17:36:44 rnpalmer-laptop systemd[1]: Forked 
/lib/systemd/systemd-cryptsetup as 464
Oct 16 17:36:44 rnpalmer-laptop systemd[1]: 
systemd-cryptsetup at sda4_crypt.service changed start-post -> stop
Oct 16 17:36:44 rnpalmer-laptop systemd[464]: Executing: 
/lib/systemd/systemd-cryptsetup detach sda4_crypt
Oct 16 17:36:49 rnpalmer-laptop systemd[1]: Child 464 belongs to 
systemd-cryptsetup at sda4_crypt.service
Oct 16 17:36:49 rnpalmer-laptop systemd[1]: 
systemd-cryptsetup at sda4_crypt.service: control process exited, 
code=exited status=1
Oct 16 17:36:49 rnpalmer-laptop systemd[1]: 
systemd-cryptsetup at sda4_crypt.service got final SIGCHLD for state stop
Oct 16 17:36:49 rnpalmer-laptop systemd[1]: 
systemd-cryptsetup at sda4_crypt.service changed stop -> failed
Oct 16 17:36:49 rnpalmer-laptop systemd[1]: Job 
systemd-cryptsetup at sda4_crypt.service/start finished, result=failed
Oct 16 17:36:49 rnpalmer-laptop systemd[1]: Failed to start Cryptography 
Setup for sda4_crypt.
Oct 16 17:36:49 rnpalmer-laptop systemd[1]: Unit 
systemd-cryptsetup at sda4_crypt.service entered failed state.
Oct 16 17:36:49 rnpalmer-laptop systemd[1]: 
systemd-cryptsetup at sda4_crypt.service: cgroup is empty


>> I'm guessing at a destroyed LUKS header and systemd falling back to
>> plain, but have no proof of that.
Looks like systemd _always_ mounts encrypted swap as plain even if 
/etc/crypttab says it's LUKS, hence destroying the header as soon as the 
swap becomes needed (for hibernation or otherwise, though I haven't 
tested the latter): this is from before attempting hibernation:

$ sudo cryptsetup status /dev/mapper/sda4_crypt
/dev/mapper/sda4_crypt is active and is in use.
   type:    PLAIN
   cipher:  aes-cbc-essiv:sha256
   keysize: 256 bits
   device:  /dev/sda4
   offset:  0 sectors
   size:    39059456 sectors
   mode:    read/write
$ sudo cryptsetup status /dev/mapper/sda5_crypt
/dev/mapper/sda5_crypt is active and is in use.
   type:    LUKS1
   cipher:  aes-xts-plain64
   keysize: 512 bits
   device:  /dev/sda5
   offset:  4096 sectors
   size:    818159616 sectors
   mode:    read/write

> If unlocking the crypt container failed, there should be no
> /dev/mapper/sda4_crypt device.
There always is one, presumably because a plain dm-crypt mount with the 
wrong password "succeeds" (and sees garbage in place of the previous 
contents, but a non-hibernation swap partition won't care).

> Please boot with systemd.log_level=debug on the kernel command line and
> the attach the journal log (journalctl -alb).
Attached: before/after hibernation, with the swap passphrase given to 
initramfs/systemd-cryptsetup/neither.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: afterhib_initramfsmount.log
Type: text/x-log
Size: 528416 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20141016/1f15ce99/attachment-0010.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: afterhib_systemdmount.log
Type: text/x-log
Size: 756695 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20141016/1f15ce99/attachment-0011.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: beforehib_initramfsmount.log
Type: text/x-log
Size: 450176 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20141016/1f15ce99/attachment-0012.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: beforehib_nomount.log
Type: text/x-log
Size: 519130 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20141016/1f15ce99/attachment-0013.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: beforehib_systemdmount.log
Type: text/x-log
Size: 485398 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20141016/1f15ce99/attachment-0014.bin>

More information about the Pkg-systemd-maintainers mailing list