Talk:Dm-crypt/Swap encryption

Anyone know what to do about the "Please enter passphrase for disk myswap (swap)!" and "systemd-ask-password" msgs diplaying at bootup? Occurs with the Without suspend-to-disk mode. Voukait (talk) 07:32, 8 May 2016 (UTC)Reply

Which hooks do you use in mkinitcpio for the encryption? Any kernel parameter for "resume=" that might trigger it? --Indigo (talk) 09:32, 8 May 2016 (UTC)Reply

Ive been investigating this further and it appears that it is this issue. https://bbs.archlinux.org/viewtopic.php?id=176927 Which looks like the problem is caused by formating the partition as swap, and then the runtime encryption fails because it detects it as a swap drive. As soon as I can change the partition type, I will confirm.

Voukait (talk) 23:38, 10 May 2016 (UTC)Reply

Adding my 2cents here: I was having the same problem due to a mistake I made when following the steps. It seems that I had used the wrong cipher (i.e. I mixed two different techniques: with kernel naming and with label, because I did it all in order before encountering the warning about the potential changes of names and decided to adapt to it.) To correct it, I had to replace : safeSwap LABEL=cryptswap /dev/urandom swap,offset=2048,cipher=aes-cbc-essiv:sha256,size=512 #WRONG CIPHER METHOD with: safeSwap LABEL=cryptswap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=512 #WORKS LIKE A CHARM I therefore suggest emphasizing the fact that the chosen cipher type is important to save other people's time. I was maybe not the only one to fall for it, if I can refer to this thread: https://bbs.archlinux.org/viewtopic.php?id=193566 Bruno- (talk) 19:35, 5 September 2020 (UTC)Reply

I am using the approach listed on this website,

https://aaronlauterer.com/blog/2017/04/arch-linux-on-an-encrypted-zfs-root-system/

With this approach the Luks cryptroot partition is partitioned further into a SWAP and ZFS root partition. The advantage of this approach is that a single password is needed for both ZFS and SWAP parition.

—This unsigned comment is by Trumee (talk) 08:23, 3 April 2021‎. Please sign your posts with ~~~~!

In the section Without suspend-to-disk support > UUID and LABEL, wouldn’t it be a good idea to mark the ext2 filesystem as read-only with tune2fs -O read-only?

Kugland (talk) 08:23, 1 January 2022 (UTC)Reply

In section Suspend-to-disk support --> Using a swap partition --> mkinitcpio hook, in `/etc/initcpio/hooks/openswap`, I think it'd be better to suggest `/dev/disk/by-uuid/<uuid>` over `/dev/<device>`, if going by the recommendation to not use block device names in config files. Keiichiiownsu12 (talk) 19:37, 20 November 2023 (UTC)Reply

Sounds reasonable. You can use a pseudo-variable for the UUID value: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX. Also, /dev/disk/by-uuid/ can be replaced with UUID=. -- nl6720 (talk) 08:57, 21 November 2023 (UTC)Reply

It's possible to GPT automount an encrypted swap partition, you just need to use any of the default methods that systemd-cryptsetup tries before falling back to password entry. Encrypt the swap partition, then run systemd-cryptenroll --tpm2-device (for example, makes more sense with PCR policies but I only tested with basic tpm2. Should work the same though). Then run mkswap on /dev/mapper/swap, then reboot and swapon shows /dev/dm-1 partition (size) -used) -2. Cvlc (talk) 19:25, 19 August 2024 (UTC)Reply

I'm not a fan of dedicated partitions, and like the flexibility Btrfs subvolumes or ZFS datasets offer.

My setup uses a single Btrfs partition on NVMe SSD, and a swapfile in a subvolume.

There isn't a ton of information out there about encrypting a swapfile without encrypting the whole drive or by using LUKS.

I experimented with crypttab to see if it would accept files as devices.

On a basic test system without hibernation, I edited /etc/crypttab to include the swapfile path /swap/swapfile instead of specifying a dedicated /dev. /swap resides on subvol system/@swap and is mounted on boot as any regular subvol using /etc/fstab.

/etc/crypttab

# Configuration for encrypted block devices.
# See crypttab(5) for details.

# NOTE: Do not list your root (/) partition here, it must be set up
#       beforehand by the initramfs (/etc/mkinitcpio.conf).

# <name>       <device>                                     <password>              <options>
# home         UUID=XXXXXXXX                                /etc/mypassword1
# data1        /dev/sda3                                    /etc/mypassword2
# data2        /dev/sda5                                    /etc/cryptfs.key
# swap         /dev/sdx4                                    /dev/urandom            swap,cipher=aes-cbc-essiv:sha256,size=256
# vol          /dev/sdb7                                    none

swap           /swap/swapfile                               /dev/urandom            swap,cipher=aes-cbc-essiv:sha256,size=256

In /etc/fstab, /swap/swapfile is replaced by /dev/mapper/swap as swap.

/etc/fstab

/dev/nvme0n1p2
UUID=XXXXXXXXX       /swap           btrfs           rw,relatime,ssd,discard=async,space_cache,subvolid=282,subvol=/system/@swap   0 0

/dev/mapper/swap     none            swap            defaults        0 0

swapon -s shows /dev/dm-0 (or any other dm-X) as the swap device, and lsblk shows loop0 as crypt [SWAP]

I haven't tested this on a production system.

--Nitrogen (talk) 12:08, 14 October 2025 (UTC)Reply