[Bug 432785] Re: add support to ecryptfs-setup-swap for keyed hibernation

Christopher M. Penalver christopher.m.penalver at gmail.com
Thu Mar 12 03:31:53 UTC 2015 

Dustin Kirkland, according to
https://wiki.ubuntu.com/DebuggingKernelHibernate this is the master/meta
report scoped to having hibernate work with an encrypted swap, a feature
that other encryption implementations (ex. Windows+BitLocker) have been
able to accomplish for some time now.

Hence, just to clarify, is it that you don't intend to implement this
ever, don't intend to implement this anytime soon, or the implementation
would need to occur in a different package?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubiquity in Ubuntu.
https://bugs.launchpad.net/bugs/432785

Title:
  add support to ecryptfs-setup-swap for keyed hibernation

Status in eCryptfs:
  Won't Fix
Status in ecryptfs-utils package in Ubuntu:
  Won't Fix
Status in ubiquity package in Ubuntu:
  Invalid

Bug description:
  ecryptfs-setup-swap currently creates entries in /etc/fstab and
  /etc/crypttab for encrypted swap, in order to increase the security of
  systems using ecryptfs.

  However, in its current implementation, this breaks hibernation
  support in most cases.  The current implementation just creates a
  randomly generated key each boot for swap space.

  The advantage of this approach is that this allows the system to boot
  unattended, without prompting for a passphrase until system login
  screens.

  However, in the long term, we would like to eventually fix this
  problem, and cleanly support hibernation to encrypted swap.

  As I see it, there are a few approaches...

   1) configure encrypted swap using a single static passphrase stored
  in LUKS, which is required at system boot; this same passphrase would
  be required to resume the system; this breaks unattended boots, and
  requires all users on a system to share the same swap passphrase

   2) randomly generate the passphrase at boot, but wrap this passphrase
  using a pam module each time a user logs in (up to 7 different users),
  and stuff this wrapped passphrase in LUKS; this would allow any user
  who has logged into the system to resume it; each user would use their
  own passphrase to resume; and this would *not* break unattended boots

   3) create and setup a swap file at user login, rather than at boot,
  hook pam to put that passphrase into LUKS; no passphrase required
  until login; only one user really supported, which is perhaps okay for
  some laptop setups; no swap space available during boot, which perhaps
  isn't that big of a deal

  
  :-Dustin

To manage notifications about this bug go to:
https://bugs.launchpad.net/ecryptfs/+bug/432785/+subscriptions

More information about the foundations-bugs mailing list