diff options
Diffstat (limited to 'linhes/mkinitcpio-openswap/openswap.conf')
| -rw-r--r-- | linhes/mkinitcpio-openswap/openswap.conf | 55 |
1 files changed, 50 insertions, 5 deletions
diff --git a/linhes/mkinitcpio-openswap/openswap.conf b/linhes/mkinitcpio-openswap/openswap.conf index b7e92e0..6ca341a 100644 --- a/linhes/mkinitcpio-openswap/openswap.conf +++ b/linhes/mkinitcpio-openswap/openswap.conf @@ -3,15 +3,60 @@ swap_device=/dev/disk/by-uuid/2788eb78-074d-4424-9f1d-ebffc9c37262 crypt_swap_name=cryptswap -## one can optionally provide a keyfile device and path on this device -## to the keyfile -keyfile_device=/dev/mapper/cryptroot -keyfile_filename=etc/keyfile-cryptswap +## unlock_method can be either password, keyfile or keyfile_raw +## keyfile will use the keyfile_device and keyfile_filename to unlock the swap +## keyfile_raw will use the keyfile_device and keyfile_block_number to unlock the swap +## password will prompt for the password to unlock the swap +## if unlock_method is not set, then method is keyfile if keyfile_device and keyfile_filename are set +## otherwise it is password +unlock_method="password" +####### WARNING: There is a risk of data loss when using unlock_method="keyfile" +## You should double-check keyfile_device_mount_options, +## and note that this method is potentially dangerous regardless. +## https://docs.kernel.org/power/swsusp.html +## https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption#busybox-based_initramfs + + +## keyfile_device is the device that contains the keyfile +## set it to the device that contains the keyfile +## e.g. /dev/mapper/root-device +####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile OR keyfile_raw +keyfile_device= + +## keyfile_filename is the path to the keyfile on the keyfile_device +## e.g. /etc/swap.key +####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile +keyfile_filename= + +## keyfile_block_number is the block number of the keyfile on the keyfile_device +## e.g. 12345 +## on the ext4 filesystem, you can get the block number using +## debugfs $keyfile_device +## extents $keyfile_filename +## the relevant block number will appear under the Physical column in the output +####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile_raw +keyfile_block_number= + +## key_size is the size of the key in bytes +## e.g., 4096 +## This is the size of the keyfile and should match the actual size of the keyfile. +## You can get the size of the keyfile using: wc -c <keyfile_filename> +## The openswap script will fail if the keyfile is fragmented, +## so keyfile_length should not exceed the filesystem block size. +## For ext4 filesystems, keyfile_length should not exceed 4096 bytes, +## and it SHOULD be greater than ~200 bytes to avoid inode inlining. +####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile_raw +keyfile_length=4096 ## additional arguments are given to mount for keyfile_device -## has to start with --options (if so desired) +## has to start with --options +## it is important to use the correct options for your filesystem +## to prevent any writes to the keyfile device and thus +## minimize the risk of data loss #keyfile_device_mount_options="--options=subvol=__active/__" +keyfile_device_mount_options="--options=ro,noload" ## additional arguments are given to cryptsetup ## --allow-discards options is desired in case swap is on SSD partition cryptsetup_options="--type luks" + |