Swap partition support

[LimmaPaulus]

Hi,

I have separate, encrypted swap partition for hibernate. I would love to use this tool to open it, too :). Is it currently possible or could you consider to add support for it.

I've made my configuration as instructions suggest. Currently, the root partition opens nicely, but then I have to type password for swap partition. However, even with it resuming somehow fails, and after login I'm on fresh start.

[agherzan]

I don't have a direct interest in that but I'm happy to see if someone is willing to invest in implementation and maintenance for it as long as it is not a huge one (which I don't think it would be).

[LimmaPaulus]

DO NOT USE THIS! See my new comment below.

I managed to make it work with simple modifications.

Manjaro installer creates a second slot on both root and swap partition LUKS headers. There is a key file in path /crypto_keyfile.bin, which contains a key for these slots. By default, this file is copied to initframs and can be used to decrypt partitions without key input. I cannot understand this decision, it makes the whole encryption pointless in my opinion. I had removed the key file slot from both partitions.

However, this technique can be used efficiently to remove the need for duplicate key entries. I recreated the key file slot for swap-partition. Then I removed the key file from initframs by removing it from /etc/mkinitcpio.conf FILES-line. Now the key file exists only on the encrypted root partition and is safe.

After these modifications, swap-partition is decrypted on boot silently by using the key file. Yubikey decrypts the root partition and after that key file for the swap can be read. I honestly don't know what configuration is needed for this. But if you are doing a fresh Manjaro install you can do the following:

1. Install Manjaro with the installer and configure separate swap partition and encryption.
2. Delete slot 1 from root partition LUKS-header (may be slot 0, I'm not sure, but you cannot delete the wrong slot, because any existing key must be provided)
3. Remove /etc/crypto_keyfile.bin from FILES-line on /etc/mkinitcpio.conf
4. Follow the instructions on this repo for Yubikey-decryption

[LimmaPaulus]

Warning! The method I described above seems to cause file system corruption. Apparently root device should not be mounted before swap partition when resuming from hibernation. I don't understand any details here, but very likely you should not use this method.

There is some information about this topic

https://bbs.archlinux.org/viewtopic.php?id=249962