[Nottingham] Problem with encrypted swap on Ubuntu Server 16.04

Jason Irwin jasonirwin73 at gmail.com
Sat Nov 5 11:27:33 UTC 2016 

TLDR: Why does cryptswap create /dev/mapper/cryptswap1, rather than the
swap partition that pre-exists and do I need to keep both in /etc/fstab?

Last night I upgraded me server to 16.04 (RAID 1 with LVM). At reboot, it
stalled with the message:

Please enter passphrase for disk cryptswap1 on none!

This halted the boot process and while any random key-mashing could get
past it, it did present something of a problem.There's a few bugs* about it
and after some head scratching I did manage to get around it.

My /etc/crypttab started out like this:
# <target name> <source device>         <key file>      <options>
cryptswap1 /dev/md-0 /dev/urandom swap,cipher=aes-cbc-essiv:sha256

I know that source device is wrong from a simple "ls /dev/mapper":
crw-------  1 root root 10, 236 Nov  5 01:00 control
lrwxrwxrwx  1 root root       7 Nov  5 01:00 primary-home -> ../dm-2
lrwxrwxrwx  1 root root       7 Nov  5 01:00 primary-root -> ../dm-0
lrwxrwxrwx  1 root root       7 Nov  5 01:00 primary-swap -> ../dm-1

Great, it's trying to use my root partition! So I updated /etc/crypttab:
# <target name> <source device>         <key file>      <options>
cryptswap1 /dev/mapper/primary-swap /dev/urandom
swap,cipher=aes-cbc-essiv:sha256

I then started the crypt swap with "sudo cryptdisks_start cryptswap1" and
saw a new device appear:
crw-------  1 root root 10, 236 Nov  5 01:00 control
lrwxrwxrwx  1 root root       7 Nov  5 01:00 cryptswap1 -> ../dm-3
lrwxrwxrwx  1 root root       7 Nov  5 01:00 primary-home -> ../dm-2
lrwxrwxrwx  1 root root       7 Nov  5 01:00 primary-root -> ../dm-0
lrwxrwxrwx  1 root root       7 Nov  5 01:00 primary-swap -> ../dm-1

However, "swapon" still failed with some moaning about and inability to
read the header. Checking /etc/fstab revealed a potential problem:
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    nodev,noexec,nosuid 0       0
/dev/mapper/primary-root /               ext4    errors=remount-ro 0       1
/dev/mapper/primary-home /home           ext4    defaults        0       2
/dev/mapper/primary-swap none            swap    sw              0       0
/dev/mapper/cryptswap1 none swap sw 0 0

Two swaps? Commenting out /dev/mapper/primary-swap seemed to solve it and
booting now proceeds A-OK.

Great, it's fixed. I think.
Why this new device? Why not just use /dev/mapper/primary-swap?
And is it *really* fixed or just working by fluke?
Do I need to restore /dev/mapper/primary-swap and run two swaps somehow?
I've tried to find some documentation and either not succeeded or simply
failed to understand (my excuse is the painkillers).

Disclaimer: This has been steadily upgraded from 12.04 and I don't recall
string encrypted swap, but I deffo have encrypted home.

Yours in befuddlement,

Jason

* Seemingly related bugs:
1. https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/1453738
2. https://bugs.launchpad.net/ubuntu/+source/ecryptfs-utils/+bug/953875
3. https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1449555
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/nottingham/attachments/20161105/9a84f48d/attachment.html>

More information about the Nottingham mailing list