Encrypting swap after installation

[xr200]

I installed PCLOS 2011.6 KDE on my laptop about a month ago.  I intended to
encrypt my root, home, and swap partitions during the install, and until today,
I thought I had.  I just ran gparted and it did not show my swap partition as being
encrypted, and after a little googling, I looked at /etc/crypttab and I had two
entries: 1 for my root partition, and 1 for my home partition.   I also looked at
my /etc/fstab and it had a non-encrypted entry for swap.  So I must have messed
up on my install and not encrypted the swap partition.   

Is it possible to go back now and encrypt the swap partition?

Walt.

[T6]

encrypt root and home, ok

swap?

why?

what use could have a encrypted swap?

do you have a laptop?  that would be the only important reason to encrypt your partitions and swap is basically never used, unless you use hibernate on a laptop

[xr200]

Yes, it is installed on a laptop.   The article in the August 2011 edition of the
magazine recommended encrypting swap space.   I'm not expert at all, but
I think a computer CSI person with access to unencrypted swap could get
information off it if anything was ever written to swap.   I'm just trying to
protect my private information on the laptop if it gets stolen.
Walt

[Roc4fun]

I'm not real smart about about this, but I'm inclined to go with T6.

My thinking is... if you're using swap, it's purpose is like a memory cache, and you want to read and write as quickly as possible.  Adding an encryption task to every read and write seems counter to how it should be used.

Maybe just get more memory.  I have 2G and my swap is never used.

Just my $.02

Dave

[djohnston]

If you really, really, really want to do it, open a terminal.

su -
cat /proc/swaps

Find the /dev/sdxx containing your swap.

swapoff /dev/sdxx

(The one containing your swap.)

Set your swap to be encrypted the way you originally intended. (From PCC?) Go back to the terminal.

swapon /dev/sdxx

[xr200]

I'm specifically asking how one could encrypt swap after installation to make
it look like I had selected encrypting swap during the installation process.

 I did not manually encrypt my root or home partitions, the installer did that when I
selected encrypt for those 2 partitions.   But apparently I forgot to select
encrypt for my swap partition.    I don't know what the installer does internally,
and I don't know how to figure out what the installer does.  Presumably
cryptsetup is invoked, but I'm not sure how, nor do I know what entry (if any)
is supposed to added to /etc/crypttab and/or /etc/fstab.   

Walt

[djohnston]

Make sure cryptsetup package is installed. I think it's installed by default. Then follow the instructions here.

[AS]

How to add swap encryption after installation:

start your system and login as root user, then (assuming the swap partition is /dev/sda5) follow the next instructions:

-turn off the swap: swapoff /dev/sda5
-change the partition type from Linux swap to Linux native, using Control center -> Local disk -> manage disk partitions
-reformat the partition for encrypt use: cryptsetup luksFormat /dev/sda5
-map the partition to device mapper: cryptsetup luksOpen /dev/sda5 crypt5 (possibly provide the same pass phrase already used for the others already encrypted partitions)
-initialize your new encrypted partition using random data: dd if=/dev/zero of=/dev/mapper/crypt5 bs=4M
(differently from what posted in the August article, here we are using /dev/zero on the mapped device, in turn it will result in random data on the disk physical partition, but the process will be much faster)
-format the partition as swap: mkswap /dev/mapper/crypt5
-look at basic info using the command blkid, you will find something like:

root@localhost ~]# blkid
/dev/sda1: UUID="68b88c36-656f-4d27-a78f-c73c69b60a12" TYPE="ext4"
/dev/sda5: UUID="a484fcd9-b97f-4ba0-bfce-5253654e1988" TYPE="crypto_LUKS"
/dev/sda6: UUID="b5dbbb0c-8a13-49b1-b9e4-83e3d25f1fde" TYPE="ext4"
/dev/mapper/crypt5: UUID="e9c1d218-162a-4d49-a1e8-d8f546639596" TYPE="swap"

-now your partitions is ready to be used but you need few more steps:
-add the swap partition entry to /etc/crypttab, so that it can be automatically mapped at next reboot (note the blue UUID):

crypt5 UUID=a484fcd9-b97f-4ba0-bfce-5253654e1988

-add the swap partition entry in /etc/fstab to match your new setup:

UUID=e9c1d218-162a-4d49-a1e8-d8f546639596 swap swap defaults 1 2

-finally you may need to change your /boot/grub/menu.lst to related to your entry resume=UUID=...:

title linux
kernel (hd0,0)/boot/vmlinuz BOOT_IMAGE=linux root=UUID=68b88c36-656f-4d27-a78f-c73c69b60a12  quiet vmalloc=256M acpi=on resume=UUID=e9c1d218-162a-4d49-a1e8-d8f546639596 splash=silent vga=788
initrd (hd0,0)/boot/initrd.img

reboot and enjoy! 

AS

[djohnston]

Very good instructions, as. You spelled it all out. I just pointed to another set of instructions.

[AS]

Very good instructions, as. You spelled it all out. I just pointed to another set of instructions.

Thank you     The link you pointed out refer to LVM based setup, not used as default in PCLinuxOS, but still possible 

AS

[xr200]

--add the swap partition entry in /etc/fstab to match your new setup:
UUID=e9c1d218-162a-4d49-a1e8-d8f546639596 swap swap defaults 1 2

Thank you very much for this explanation.    I did previously try the non-Luks suggestion solution,
and it did not work for me: my boot just hung forever after I entered my encrypt password.  Either
I messed something up (would not be the first time), or I suspect that I did not make the required
change to the grub menu.lst file (which was not mentioned in the other solution).  I ended up
booting on a live CD, and figuring out how to mount an encrypted position, and then undid my
changes to /etc/crypttab and /etc/fstab.

In your new instructions, is the entry for swap in /etc/hosts supposed to end in "1 2" ?
I expected to see "0 0".

Which comes to another question:  does fsck run on encrypted partitions?

Again, thank you for this great explanation.

Walt

[djohnston]

In your new instructions, is the entry for swap in /etc/hosts supposed to end in "1 2" ?
I expected to see "0 0".

Which comes to another question:  does fsck run on encrypted partitions?

Again, thank you for this great explanation.

Walt

Yes, fsck will run on encrypted partitions. If you ever do it manually, be sure the partition is not mounted before starting.

I'll defer to as on the final answer, but I believe you will always want the dump and fsck (1 2) options turned on for an encrypted partition. 0 0 values would turn both off.

[AS]

--add the swap partition entry in /etc/fstab to match your new setup:
UUID=e9c1d218-162a-4d49-a1e8-d8f546639596 swap swap defaults 1 2

In your new instructions, is the entry for swap in /etc/hosts supposed to end in "1 2" ?
I expected to see "0 0".

Of course yes, should be "0 0" (the power of copy & paste    )

Which comes to another question:  does fsck run on encrypted partitions?

the physical layer /dev/sdXY are encrypted, you can't run fsck on these partitions,
the mapped counterparts /dev/mapper/crypt* are the unencrypted layer, the systems see it as traditional filesystems, here you can run fsck. (or it's will run automatically upon restart in case of abnormal shutdown).

Glad to provide some cents back to this wonderful forum! 

AS