## cryptsetup open $swap_device $crypt_swap_name ## get uuid using e.g. lsblk -f swap_device=/dev/disk/by-uuid/2788eb78-074d-4424-9f1d-ebffc9c37262 crypt_swap_name=cryptswap ## unlock_method can be either password, keyfile or keyfile_raw ## keyfile will use the keyfile_device and keyfile_filename to unlock the swap ## keyfile_raw will use the keyfile_device and keyfile_block_number to unlock the swap ## password will prompt for the password to unlock the swap ## if unlock_method is not set, then method is keyfile if keyfile_device and keyfile_filename are set ## otherwise it is password unlock_method="password" ####### WARNING: There is a risk of data loss when using unlock_method="keyfile" ## You should double-check keyfile_device_mount_options, ## and note that this method is potentially dangerous regardless. ## https://docs.kernel.org/power/swsusp.html ## https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption#busybox-based_initramfs ## keyfile_device is the device that contains the keyfile ## set it to the device that contains the keyfile ## e.g. /dev/mapper/root-device ####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile OR keyfile_raw keyfile_device= ## keyfile_filename is the path to the keyfile on the keyfile_device ## e.g. /etc/swap.key ####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile keyfile_filename= ## keyfile_block_number is the block number of the keyfile on the keyfile_device ## e.g. 12345 ## on the ext4 filesystem, you can get the block number using ## debugfs $keyfile_device ## extents $keyfile_filename ## the relevant block number will appear under the Physical column in the output ####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile_raw keyfile_block_number= ## key_size is the size of the key in bytes ## e.g., 4096 ## This is the size of the keyfile and should match the actual size of the keyfile. ## You can get the size of the keyfile using: wc -c ## The openswap script will fail if the keyfile is fragmented, ## so keyfile_length should not exceed the filesystem block size. ## For ext4 filesystems, keyfile_length should not exceed 4096 bytes, ## and it SHOULD be greater than ~200 bytes to avoid inode inlining. ####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile_raw keyfile_length=4096 ## additional arguments are given to mount for keyfile_device ## has to start with --options ## it is important to use the correct options for your filesystem ## to prevent any writes to the keyfile device and thus ## minimize the risk of data loss #keyfile_device_mount_options="--options=subvol=__active/__" keyfile_device_mount_options="--options=ro,noload" ## additional arguments are given to cryptsetup ## --allow-discards options is desired in case swap is on SSD partition cryptsetup_options="--type luks"