blob: 6ca341a324b2f0404fdac25f36268f697149eafa (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
## cryptsetup open $swap_device $crypt_swap_name
## get uuid using e.g. lsblk -f
swap_device=/dev/disk/by-uuid/2788eb78-074d-4424-9f1d-ebffc9c37262
crypt_swap_name=cryptswap
## unlock_method can be either password, keyfile or keyfile_raw
## keyfile will use the keyfile_device and keyfile_filename to unlock the swap
## keyfile_raw will use the keyfile_device and keyfile_block_number to unlock the swap
## password will prompt for the password to unlock the swap
## if unlock_method is not set, then method is keyfile if keyfile_device and keyfile_filename are set
## otherwise it is password
unlock_method="password"
####### WARNING: There is a risk of data loss when using unlock_method="keyfile"
## You should double-check keyfile_device_mount_options,
## and note that this method is potentially dangerous regardless.
## https://docs.kernel.org/power/swsusp.html
## https://wiki.archlinux.org/title/Dm-crypt/Swap_encryption#busybox-based_initramfs
## keyfile_device is the device that contains the keyfile
## set it to the device that contains the keyfile
## e.g. /dev/mapper/root-device
####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile OR keyfile_raw
keyfile_device=
## keyfile_filename is the path to the keyfile on the keyfile_device
## e.g. /etc/swap.key
####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile
keyfile_filename=
## keyfile_block_number is the block number of the keyfile on the keyfile_device
## e.g. 12345
## on the ext4 filesystem, you can get the block number using
## debugfs $keyfile_device
## extents $keyfile_filename
## the relevant block number will appear under the Physical column in the output
####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile_raw
keyfile_block_number=
## key_size is the size of the key in bytes
## e.g., 4096
## This is the size of the keyfile and should match the actual size of the keyfile.
## You can get the size of the keyfile using: wc -c <keyfile_filename>
## The openswap script will fail if the keyfile is fragmented,
## so keyfile_length should not exceed the filesystem block size.
## For ext4 filesystems, keyfile_length should not exceed 4096 bytes,
## and it SHOULD be greater than ~200 bytes to avoid inode inlining.
####### THIS OPTION IS MANDATORY IF unlock_method IS keyfile_raw
keyfile_length=4096
## additional arguments are given to mount for keyfile_device
## has to start with --options
## it is important to use the correct options for your filesystem
## to prevent any writes to the keyfile device and thus
## minimize the risk of data loss
#keyfile_device_mount_options="--options=subvol=__active/__"
keyfile_device_mount_options="--options=ro,noload"
## additional arguments are given to cryptsetup
## --allow-discards options is desired in case swap is on SSD partition
cryptsetup_options="--type luks"
|