Re: [solved securely now??] What is the correct way to set encrypted swap with systemd?
On 20150331_1923-0500, ~Stack~ wrote:
> On 03/29/2015 07:06 AM, Sven Hartge wrote:
> > ~Stack~ <i.am.stack@gmail.com> wrote:
> >
> >> One more question if you don't mind: I understand why the encrypted
> >> partition UUID is going to change every time, but the physical
> >> partition UUID for my /dev/sda3 shouldn't change though. If they are
> >> the same systemd.fsck shouldn't have a problem with the physical
> >> partition UUID of /dev/sda3, but yet it does (at least for me). So
> >> what is the difference between the UUID pointing to /dev/sda3 and the
> >> /dev/disk/by-id pointing to /dev/sda3?
> >
> > Please provide an example of such an UUID and the way you obtained it.
>
> Greetings Sven,
>
> So something odd has happened...
>
> # blkid |grep sda3
> /dev/sda3: PARTUUID="0003efe2-03"
> /dev/mapper/sda3_crypt: UUID="f4aad427-3462-4dcf-a40d-617e90a7b1cb"
> TYPE="swap"
>
> # grep sda3 /etc/crypttab
> sda3_crypt /dev/disk/by-id/ata-TOSHIBA_MK3259GSXP_42K5CE0TT-part3
> /dev/urandom cipher=aes-xts-plain64,size=256,swap
>
> That "PARTUUID" is odd because it used to be a UUID...huh...really not
> sure what happened...but I have a guess (below)...
>
> But on my not-yet-updated-to-an-OS-with-systemd boxes they are either
> configured for keys or use the UUID from blkid and that UUID is what is
> in /etc/crypttab. In my first email this
> "UUID=ef2496cd-ca4d-43aa-8c90-dba084029f6e" was taken from blkid.
> Clearly that is no longer the case and would explain why UUID doesn't
> work. :-)
>
> So off I went to read about UUID vs PARTUUID. Short notes:
> UUID == filesystem
> PARTUUID == partition
>
> Thus, I would want to point to the partition PARTUUID because (as you
> pointed out to me earlier) the swap filesystem is going to change every
> time due to urandom and thus the UUID should be changing on every
> boot...blkid is probably seeing that this is a ever changing swap
> partition and just returning the PARTUUID for me.
>
> But putting that PARTUUID in my /etc/crypttab didn't work and I ended up
> with the systemd.fsck timing out and not mounting swap. Hrm.
>
> Well, I guess the disk-by-id works so I will just use that for now.
~Stack~,
You can also use disk LABEL=. As implemented, the LABEL is actually
applied to individual partition. As long as every partition has a
different LABEL values there is no ambiguity. You only need to have
unique values for partitions that you feel you will be mounting and
umounting. Partitions with no LABEL value set never get compared by
LABEL value. The system has always insisted on setting a unique UUID
value on every partition. Its done that way because of a design
decision of Debian developers. But it has a tiny flaw that you can
avoid by using LABEL values, which YOU can be sure are unique because
you didn't do repeats, whereas UUIDs are randomly generated and there
is a tiny, but non-zero chance of repeats for UUIDs.
>
> Thanks again! I have learned a ton about cryptab, swap, UUID/PARTUUID,
> and the boot process. :-)
>
> ~Stack~
~Stack~,
If I read your message above, you are having trouble understanding how
to use the UUID/PARTUUID system for identifying partitions on disks.
I suggest that you don't need to use it, and if you don't use it you
don't need to understand it. It can be there because it has been put
there during the initalization of Debian, and it won't hurt anything
until you try to use it and make a mistake in trying to use it.
I was once troubled by a similar situation when Debian first started to
use UUID, until I realized that for some disks, I had no intention
of ever changing the partion structure that was put there initially.
For disks that I did have some special use and some ideas about how
that special use might change in the future, I put LABEL=... on their
partitions and used LABEL= paradigm to identify the partitions. This
is what I do with all my external drives. And I put sticker on the
outside of the drive enclosure with the LABEL= value written with a
ball point pen on it. It is my personal responsibility to myself that
I never put the same LABEL= value on two different disks. You can even
put a LABEL= value on the root system disk that is always /dev/sda1
during installation. I suggest that you use LABEL=sda1. LABEL=
settings can be any string of alphnumeric characters <= sixteen long.
As I see it, the only benefit that you the user get from using the
UUID/PARTUUID system is that if some Linux user is browsing through
the internals of what is written on your disk, he may wonder where
you got the software to do that and treat you with a little more
respect. Let me assure you, you are not Rodney Dangerfield
--
Paul E Condon
pecondon@mesanetworks.net
Reply to: