How to Use an Encrypted Swap Partition with Support for Hibernation on Linux

Why Encrypt the Swap Partition?

Encrypting the home partition is a good first step toward ensuring data confidentiality. However, a typical system usually stores some information outside /home such as in swap partitions which are not encrypted by default. This poses a security threat as sensitive information can be gleaned from the swap partition, even if the /home partition is encrypted.

A potential remedy is to disable swap, but this solution is not the best as sometimes one would want to use a swap partition to support certain features such as hibernation. In this case, it is imperative to encrypt the swap partition as well. Having an encrypted swap partition ensures that data cannot be leaked from the swap space.

In this article, we’re going to see how to enable encryption on the swap partition, all while having suspend-to-disk support. When the computer is turned on from a previous hibernation, the encrypted swap partition is unlocked, and the system resumes from there.

Step 1: Disable Current Swap

First, it is important to determine whether your system is already using swap space.

swapon -s

If that’s the case, then you should disable it as follows:

sudo swapoff -a

Moreover, any line in the /etc/fstab file which references swap partitions should be removed.

Step 2: Choose a Swap Partition

Next, run this command in the Terminal to list all available partitions:

sudo fdisk --list | grep -E "/dev/sd|/dev/nvme"

Choose the partition that you would like to use as swap and note the partition name (not the disk name!) found in the first column of the output and having the following format: /dev/xxxx.

If you do not have any free partition to use for the swap, you can shrink any partition of your choice to make space for a new partition using a utility such as gparted.

When allocating space for a swap partition, make sure the partition size is at least the square root of the total RAM size, rounded up to the nearest GB.

For example, if you have 8 GB RAM, sqrt(8) = 2.8284. This means the swap partition should be at least 3 GB, assuming you won’t be hibernating the system. For hibernation, you should factor in a couple more Gigabytes.

Step 3: Encrypt the Swap Partition Using LUKS

We will now encrypt the partition which will be used as swap. If you don’t have cryptsetup installed already, you can install it using your package manager.

1. To make our task easier, let’s create a shell variable to denote the swap partition.

export PART_SWAP="/dev/xxxx"

2. Then, unmount the new partition that will be encrypted. If you get any error, simply ignore it.

sudo umount $PART_SWAP

3. Encrypt the partition by formatting it as a LUKS device:

sudo cryptsetup -v luksFormat --type luks2 --cipher aes-xts-plain64 --key-size 512 --hash sha512 $PART_SWAP

You will be asked to enter a passphrase to encrypt the partition. Enter a strong password (at least 12 characters) containing a mix of lowercase and uppercase letters, numbers, and symbols.

4. Unmount the encrypted partition. If you get any error, simply ignore it.

sudo umount $PART_SWAP

Step 4: Create Swap Filesystem on the Encrypted Partition

Open the new encrypted LUKS partition with mapping name cryptswap.

sudo cryptsetup -v luksOpen $PART_SWAP cryptswap

Then, create a swap filesystem inside the encrypted partition.

sudo mkswap /dev/mapper/cryptswap

Step 5: Activate the Encrypted Swap Partition

It is a good idea to check if the swap partition was properly encrypted first:

cryptsetup status cryptswap

We can now activate the swap partition if the previous command gave a healthy output.

sudo swapon /dev/mapper/cryptswap

Step 6: Update System Configurations

At this point, the system should be using an encrypted swap partition. However, we need to change some configurations for three reasons:

1. To unlock encrypted partitions at boot time.
2. To instruct the kernel which partition to resume from, in case the system was hibernated during the previous shutdown.
3. To persist using the encrypted swap partition between reboots.

Step 6.1: Unlock Encrypted Partitions at Boot Time

Let’s create another shell variable to denote the luksUUID of the encrypted swap partition.

export UUID_SWAP=$(sudo cryptsetup luksUUID $PART_SWAP)

echo $UUID_SWAP

Step 6.1.1: For Manjaro, Arch Linux, and Derivatives

We should configure mkinitcpio hooks so that the OS can access encrypted partitions before the login screen appears.

sudo gedit /etc/mkinitcpio.conf

Comment the line starting with HOOKS= and use the one provided below instead:

HOOKS="base systemd autodetect modconf kms keyboard sd-vconsole plymouth block sd-encrypt filesystems fsck"

Then, rebuild all initramfs as follows:

sudo mkinitcpio -P

Step 6.1.2: For Ubuntu, Debian, and Derivatives

Add entry in /etc/crypttab

echo "cryptswap     UUID=$UUID_SWAP     none    luks" | sudo tee -a /etc/crypttab

Step 6.2: Resuming From Hibernation Using the Swap Partition

Step 6.2.1: For Manjaro, Arch Linux, and Derivatives

It is possible to instruct the kernel which encrypted partition to unlock and resume from through the rd.luks.name and resume directives respectively.

These should be added on the line starting with GRUB_CMDLINE_LINUX_DEFAULT (within the double quotes) in the /etc/default/grub file.

It is possible to achieve this automatically by issuing this sed command:

sudo sed -i "s/^GRUB_CMDLINE_LINUX_DEFAULT=\"/GRUB_CMDLINE_LINUX_DEFAULT=\"rd.luks.name=${UUID_SWAP}=cryptswap resume=\/dev\/mapper\/cryptswap /" /etc/default/grub

Because we had a shell variable $UUID_SWAP earlier, it will be expanded automatically, and this is what sed added in my case:

rd.luks.name=fe534432-7951-42a5-b535-703aa51da471=cryptswap resume=/dev/mapper/cryptswap

For example, on my setup the complete modified line in the /etc/default/grub file looks like this:

GRUB_CMDLINE_LINUX_DEFAULT="rd.luks.name=fe534432-7951-42a5-b535-703aa51da471=cryptswap resume=/dev/mapper/cryptswap quiet splash apparmor=1 security=apparmor udev.log_priority=3"

Then, run these commands for GRUB to use the updated configuration:

sudo update-grub
sudo grub-mkconfig

Step 6.2.2: For Ubuntu, Debian, and Derivatives

Edit the /etc/initramfs-tools/conf.d/resume file. Replace the existing RESUME line with the following line:

RESUME=/dev/mapper/cryptswap

If the file does not exist, create it with only that line.

Rebuild all initramfs:

sudo update-initramfs -u -k all

Step 6.3: Persist the Encrypted Swap Partition Between Reboots

Add entry in /etc/fstab by running this command:

echo "/dev/mapper/cryptswap	    none	swap	defaults 0 0" | sudo tee -a /etc/fstab

poweroff

Afterwards, you can hibernate the system through the GUI or by running this command in the Terminal:

systemctl hibernate

You can still also do a normal shutdown if you don’t want to hibernate every time.

Conclusion

From now on, you should see a prompt to enter a passphrase for unlocking the swap partition whenever the computer is turned on. If you have other encrypted partitions (e.g /home) with the same password, you will be asked to enter the password only once per boot.

Congrats for adding “resume from hibernation” feature on an encrypted swap partition, and more importantly, for making your Linux installation more secure!

# Footnotes

https://wiki.archlinux.org/title/Data-at-rest_encryption

https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#LUKS_on_a_partition

https://wiki.archlinux.org/title/Swap

https://www.man7.org/linux/man-pages/man5/fstab.5.html

https://forum.manjaro.org/t/how-to-rebuild-initramfs/65945/3

https://wiki.archlinux.org/title/Dm-crypt/System_configuration#crypttab

https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption

https://wiki.archlinux.org/title/Power_management

https://help.ubuntu.com/community/EnableHibernateWithEncryptedSwap

https://superuser.com/a/1499074