Re: [solved, unsafely?] What is the correct way to set encrypted swap with systemd?

To: debian-user@lists.debian.org
Subject: Re: [solved, unsafely?] What is the correct way to set encrypted swap with systemd?
From: David Wright <deblis@lionunicorn.co.uk>
Date: Sat, 28 Mar 2015 14:15:53 -0500
Message-id: <[🔎] 20150328191553.GA13068@alum.home>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 5516F04B.8070507@gmail.com>
References: <[🔎] 5515DD3A.40807@gmail.com> <[🔎] 0bg8v4gjjrv8@mids.svenhartge.de> <[🔎] 5516F04B.8070507@gmail.com>

Quoting ~Stack~ (i.am.stack@gmail.com):
> On 03/28/2015 08:32 AM, Sven Hartge wrote:
> > ~Stack~ <i.am.stack@gmail.com> wrote:
> > 
> >> Remember back a few months ago when systemd wouldn't stop fsck'ing my
> >> swap partition?
> > 
> > Why would systemd fsck the swap? swap does not need fscking.
> 
> I have no idea. But, if I disable the swap partition the system boots
> just fine. If I enable it, fsck tries to run and the partition is
> complains about is the swap partition. I have no idea why systemd.fsck
> does this. :-/
> 
> [snip]
> > I have the same setup on Debian Sid with systemd, just like you:
> > 
> > ,----[ /etc/crypttab
> > | # <target name> <source device>         <key file>      <options>
> > | cswap   /dev/disk/by-id/md-uuid-a805edd5:bcfd4c98:ce747c2c:77d42131     /dev/urandom    swap,cipher=aes-cbc-essiv:sha256,size=256
> > `----
> 
> Thank you!! I think I just found out what my note "systemd.fsck doesn't
> like UUID's" meant! I was assuming it was in the /etc/fstab or
> somewhere, but when I noticed you have the /dev location of your disk
> and I have a UUID in the /etc/crypttab I decided to give it a try.
> 
> $ grep swap /etc/crypttab
> # causes systemd to fsck swap
> #sda3_crypt UUID=ef2496cd-ca4d-43aa-8c90-dba084029f6e /dev/urandom
> cipher=aes-xts-plain64,size=256,swap
> # systemd doesn't fsck swap
> sda3_crypt /dev/sda3 /dev/urandom cipher=aes-xts-plain64,size=256,swap
> 
> I reverted all of my changes that I took notes on and
> bada-bing-bada-boom! It works now!

That cure looks retrograde to me because it throws away the uniqueness
of UUIDs. What if /dev/sda3 changes, for whatever reason.

A systemd 216 man page for crypttab says:
   "WARNING: Using the swap option will destroy the contents of the
   named partition during every boot, so make sure the underlying
   block device is specified correctly."

Could you not try using a /dev/disk/by-foo/... entry instead and see
if that works? (I don't recognise the particular one Sven uses.)

Cheers,
David.

Reply to:

Follow-Ups:
- Re: [solved securely now??] What is the correct way to set encrypted swap with systemd?
  - From: ~Stack~ <i.am.stack@gmail.com>
- Re: [solved, unsafely?] What is the correct way to set encrypted swap with systemd?
  - From: Sven Hartge <sven@svenhartge.de>

References:
- What is the correct way to set encrypted swap with systemd?
  - From: ~Stack~ <i.am.stack@gmail.com>
- Re: What is the correct way to set encrypted swap with systemd?
  - From: Sven Hartge <sven@svenhartge.de>
- Re: [solved] What is the correct way to set encrypted swap with systemd?
  - From: ~Stack~ <i.am.stack@gmail.com>

Prev by Date: who to report a kernel bug to in Jessie
Next by Date: Re: who to report a kernel bug to in Jessie
Previous by thread: Re: [solved] What is the correct way to set encrypted swap with systemd?
Next by thread: Re: [solved securely now??] What is the correct way to set encrypted swap with systemd?
Index(es):
- Date
- Thread