Page MenuHomePureOS Tracker
Create Task
Maniphest T753

Resume from Suspend-to-disk (hibernation) fails with encrypted swap
Closed, ResolvedPublic
Actions

Description

The default partitioning option "Erase disk" of the PureOS installer creates an encrypted swap partition. (Which is good and expected.) However, it is setup with /dev/urandom as the keyfile in /etc/crypttab.

If you suspend PureOS via systemctl hibernate it isn't (can't be) resumed since the memory state saved to the encrypted swap partition won't be decrypted again because a new LUKS key is generated on the next boot due to the /dev/urandom setting in /etc/crypttab.

Event Timeline

pruflyos created this task.Apr 24 2019, 05:40
pruflyos updated the task description. (Show Details)
pruflyos added a project: Restricted Project.Apr 24 2019, 05:44
jeremiah.foster triaged this task as Normal priority.Apr 26 2019, 06:50
jeremiah.foster assigned this task to kyle.rankin.Apr 26 2019, 06:59
jeremiah.foster added a subscriber: jeremiah.foster.

My understanding is swap re-encryption enabled on reboot provides a higher level of security while losing the functionality you describe, namely resume after hibernate.

I note that my /etc/crypttab file mentions "encrypted swap, which should be set up with mkinitcpio-openswap for resume support".

kyle.rankin added a comment.Jun 19 2019, 08:24

Yes, this is by design for extra security, as well as adding the convenience of not having to enter in unlock passphrases two different times at boot (once for /, once for swap). The downside is that it removes the ability to resume from hibernate.

jeremiah.foster closed this task as Resolved.Jun 24 2019, 13:29