Adding an encrypted swap partition under systemd
In theory, this should be straightforward:
Set up an entry in /etc/crypttab
for the luks_swap
device:
crypt_swap /dev/mapper/$VG_NAME-swap /dev/urandom swap
Set up an entry in /etc/fstab
for the encrypted swap device:
/dev/mapper/crypt_swap swap swap defaults 0 0
At boot time, systemd notices the entry in crypttab
, sets up the crypt_swap
device, formats it as swaps space, then using information from fstab
runs
swapon to start swapping to /dev/mapper/crypt_swap
.
The problem I ran into when setting this up on the new penguin server is the startup stalled when setting up the swap device, then gave up with a “timeout” error. I’m unsure if the problem is instrinsic to the code that sets up the encrypted device or there simply isn’t enough entropy at boot time to get a good cryptographic seed.
It’s very straightforward to open a plain encrypted device using cryptsetup,
format it as swap space, and enable it:
dd if=/dev/urandom bs=128 count=1 2>/dev/null | cryptsetup open --type plain /dev/vg_penguin/swap crypt_swap mkswap /dev/mapper/crypt_swap swapon -a
As it turns out, the problem I was encountering with the boot was a bad line in
the fstab
file: I said the name of the encrypted dpace was
/dev/mapper/vg_penguin-luks_swap
(originally /dev/mapper/vg_penguin-swap
)
when in reality it was simply /dev/mapper/luks_swap
; no vg_penguin
needed.
I renamed the luks
portion to crypt
, given that the encryption is using only
plain encryption and not LUKS.