Adding an encrypted swap partition under systemd

In theory, this should be straightforward:

Set up an entry in /etc/crypttab for the luks_swap device:

crypt_swap  /dev/mapper/$VG_NAME-swap  /dev/urandom  swap

Set up an entry in /etc/fstab for the encrypted swap device:

/dev/mapper/crypt_swap   swap   swap   defaults  0  0

At boot time, systemd notices the entry in crypttab, sets up the crypt_swap device, formats it as swaps space, then using information from fstab runs swapon to start swapping to /dev/mapper/crypt_swap.

The problem I ran into when setting this up on the new penguin server is the startup stalled when setting up the swap device, then gave up with a “timeout” error. I’m unsure if the problem is instrinsic to the code that sets up the encrypted device or there simply isn’t enough entropy at boot time to get a good cryptographic seed.

It’s very straightforward to open a plain encrypted device using cryptsetup, format it as swap space, and enable it:

dd if=/dev/urandom bs=128 count=1 2>/dev/null |
  cryptsetup open --type plain /dev/vg_penguin/swap crypt_swap
mkswap /dev/mapper/crypt_swap
swapon -a

As it turns out, the problem I was encountering with the boot was a bad line in the fstab file: I said the name of the encrypted dpace was /dev/mapper/vg_penguin-luks_swap (originally /dev/mapper/vg_penguin-swap) when in reality it was simply /dev/mapper/luks_swap; no vg_penguin needed.

I renamed the luks portion to crypt, given that the encryption is using only plain encryption and not LUKS.