[Bug 1253983] [NEW] cryptsetup does not ask to decrypt swap on boot
Edward Z. Yang
ezyang at cs.stanford.edu
Fri Nov 22 11:27:09 UTC 2013
Public bug reported:
Steps to reproduce:
---------------------------
Suppose your swap partition is going to be /dev/sda3. We are going to
encrypt it with a password, rather than autogenerate it (this is
desirable for hibernation). I think it may be important to avoid having
other LUKS partitions in your crypttab.
Set it up with:
cryptsetup luksFormat /dev/sda3
Edit crypttab to have:
swap /dev/sda3 none luks,tries=3
Edit fstab to have:
/dev/mapper/swap none swap sw 0 0
Now reboot the system.
Expected behavior: Prompt to decrypt swap on boot, after which swap is loaded (swapon -s)
Actual behavior: Boot proceeds without prompt (well, actually the prompt does show up but you're never given a chance to type anything in), swap is not loaded
The trouble here seems to be cryptsetup password request is implemented
by hooking into Ubuntu's "Device is not ready, press S to skip or M to
mount" (not an expert, but this is a guess, since when I do exactly the
same parameters, but specify the fstab to be a proper file system,
things work fine), but Ubuntu will not block boot because swap has not
come online, so we never actually get a prompt.
This might actually be a bug elsewhere; while hibernate has never been
terribly high on the priority of Ubuntu developers (and encrypted
hibernate is an absolute disaster), it is essential to block on swap
coming online, because there may be a hibernate image stored there,
which is irrecoverable if boot proceeds as normal. But I didn't know
where to report *that*.
** Affects: cryptsetup (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cryptsetup in Ubuntu.
https://bugs.launchpad.net/bugs/1253983
Title:
cryptsetup does not ask to decrypt swap on boot
Status in “cryptsetup” package in Ubuntu:
New
Bug description:
Steps to reproduce:
---------------------------
Suppose your swap partition is going to be /dev/sda3. We are going to
encrypt it with a password, rather than autogenerate it (this is
desirable for hibernation). I think it may be important to avoid
having other LUKS partitions in your crypttab.
Set it up with:
cryptsetup luksFormat /dev/sda3
Edit crypttab to have:
swap /dev/sda3 none luks,tries=3
Edit fstab to have:
/dev/mapper/swap none swap sw 0 0
Now reboot the system.
Expected behavior: Prompt to decrypt swap on boot, after which swap is loaded (swapon -s)
Actual behavior: Boot proceeds without prompt (well, actually the prompt does show up but you're never given a chance to type anything in), swap is not loaded
The trouble here seems to be cryptsetup password request is
implemented by hooking into Ubuntu's "Device is not ready, press S to
skip or M to mount" (not an expert, but this is a guess, since when I
do exactly the same parameters, but specify the fstab to be a proper
file system, things work fine), but Ubuntu will not block boot because
swap has not come online, so we never actually get a prompt.
This might actually be a bug elsewhere; while hibernate has never been
terribly high on the priority of Ubuntu developers (and encrypted
hibernate is an absolute disaster), it is essential to block on swap
coming online, because there may be a hibernate image stored there,
which is irrecoverable if boot proceeds as normal. But I didn't know
where to report *that*.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cryptsetup/+bug/1253983/+subscriptions
More information about the foundations-bugs
mailing list