cryptsetup does not ask to decrypt swap on boot

Bug #1253983 reported by Edward Z. Yang
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cryptsetup (Ubuntu)
New
Undecided
Unassigned

Bug Description

Steps to reproduce:
---------------------------

Suppose your swap partition is going to be /dev/sda3. We are going to encrypt it with a password, rather than autogenerate it (this is desirable for hibernation). I think it may be important to avoid having other LUKS partitions in your crypttab.

Set it up with:
  cryptsetup luksFormat /dev/sda3

Edit crypttab to have:
  swap /dev/sda3 none luks,tries=3

Edit fstab to have:
   /dev/mapper/swap none swap sw 0 0

Now reboot the system.

Expected behavior: Prompt to decrypt swap on boot, after which swap is loaded (swapon -s)
Actual behavior: Boot proceeds without prompt (well, actually the prompt does show up but you're never given a chance to type anything in), swap is not loaded

The trouble here seems to be cryptsetup password request is implemented by hooking into Ubuntu's "Device is not ready, press S to skip or M to mount" (not an expert, but this is a guess, since when I do exactly the same parameters, but specify the fstab to be a proper file system, things work fine), but Ubuntu will not block boot because swap has not come online, so we never actually get a prompt.

This might actually be a bug elsewhere; while hibernate has never been terribly high on the priority of Ubuntu developers (and encrypted hibernate is an absolute disaster), it is essential to block on swap coming online, because there may be a hibernate image stored there, which is irrecoverable if boot proceeds as normal. But I didn't know where to report *that*.

Revision history for this message
Edward Z. Yang (ezyang) wrote :

As an extra note, https://help.ubuntu.com/community/EnableHibernateWithEncryptedSwap describes a patch to /usr/share/initramfs-tools/scripts/local-top/cryptroot which enables a proper check. But I don't think the patch as it stands is usable as a real fix.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.