[Bug 397411] New: Hibernation won't work with encrypted root/home
https://bugzilla.novell.com/show_bug.cgi?id=397411 Summary: Hibernation won't work with encrypted root/home Product: openSUSE 11.0 Version: RC 1 Platform: x86 OS/Version: openSUSE 11.0 Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: freeform.reform@gmail.com QAContact: qa@suse.de Found By: Other 11.0 lets you encrypt root / home. If done so, hibernation doesn't work as the hibernation file is not decrypted (screen goes blank). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=397411
Andreas Jaeger
https://bugzilla.novell.com/show_bug.cgi?id=397411
User seife@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c1
Stefan Seyfried
https://bugzilla.novell.com/show_bug.cgi?id=397411
User freeform.reform@gmail.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c2
--- Comment #2 from Peter Keenig
https://bugzilla.novell.com/show_bug.cgi?id=397411
User seife@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c3
--- Comment #3 from Stefan Seyfried
https://bugzilla.novell.com/show_bug.cgi?id=397411
User seife@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c4
--- Comment #4 from Stefan Seyfried
https://bugzilla.novell.com/show_bug.cgi?id=397411
User seife@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c5
Stefan Seyfried
https://bugzilla.novell.com/show_bug.cgi?id=397411
User freeform.reform@gmail.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c6
--- Comment #6 from Peter Keenig
https://bugzilla.novell.com/show_bug.cgi?id=397411
User pavel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c7
--- Comment #7 from Pavel Machek
https://bugzilla.novell.com/show_bug.cgi?id=397411
User freeform.reform@gmail.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c8
--- Comment #8 from Peter Keenig
https://bugzilla.novell.com/show_bug.cgi?id=397411
User pavel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c9
Pavel Machek
https://bugzilla.novell.com/show_bug.cgi?id=397411
User seife@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c10
Stefan Seyfried
https://bugzilla.novell.com/show_bug.cgi?id=397411
User freeform.reform@gmail.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c11
--- Comment #11 from Peter Keenig
https://bugzilla.novell.com/show_bug.cgi?id=397411
User seife@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c12
Stefan Seyfried
Second, no my remark is, that IF I encrypt root and home (as offered by the installer now,
Actually i was not able to install an encrypted root with YaST. I tried the installation from the Live-CD.
So it's more like "option to encrypt root/home breaks hibernation functionality" (since I can only hibernate to root, correct?).
No. It should work perfectly fine with encrypted root/home, as long as swap is not encrypted.
That swap itself should be encrypted as well would probably be more an "additional feature request". But if hibernation would work on encrypted partitions, the hibernation file itself would already be encrypted and thus not be able to leak information.
The normal setup does not use a "hibernation file". It uses the swap partition.
I'm not 100% sure but I think Fedora 9 somehow solved the problem of hibernating to an encrypted partition, at least the corresponding bug report has been closed: https://bugzilla.redhat.com/show_bug.cgi?id=247794
Yes, Fedora apparently handles encrypted swap partitions differently and activates them from initrd before mounting the rootfs. However, i am not sure if it is worth the effort, since we can do encrypted suspend just fine (i will think about implementing an additional "suspend partition" that is only used for suspend, so that the "normal" swap partition can still be encrypted. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=397411
User freeform.reform@gmail.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c13
--- Comment #13 from Peter Keenig
The normal setup does not use a "hibernation file". It uses the swap partition. so the system per default hibernates to the swap partition, correct? you said I could do encrypted hibernation. How would one accomplish that? http://en.opensuse.org/S2disk doesn't mention anything about it.
Actually i was not able to install an encrypted root with YaST. I tried the installation from the Live-CD. I think it is only implemented in the "normal" setup.
BTW: Does this issue become any easier if one would use a LVM setup with an unencrypted /boot partition? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=397411
User seife@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c14
--- Comment #14 from Stefan Seyfried
but in #12 you said
The normal setup does not use a "hibernation file". It uses the swap partition. so the system per default hibernates to the swap partition, correct? you said I could do encrypted hibernation. How would one accomplish that? http://en.opensuse.org/S2disk doesn't mention anything about it.
Yes, the s2disk documentation on openSUSE.org is actually written by somebody else (and it is plain wrong), i need to revise it.
Actually i was not able to install an encrypted root with YaST. I tried the installation from the Live-CD. I think it is only implemented in the "normal" setup.
I now installed from the RC3 BiArch DVD and it still does not let me encrypt the root partition. If that works, suspending and resuming from a swapfile inside the encrypted root partition might actually be quite easy, but i am not able to get it working. Do you have a pointer to documentation about that? (sorry, i don't know too much about encryption setup, as you obviously already might have guessed ;)
BTW: Does this issue become any easier if one would use a LVM setup with an unencrypted /boot partition?
It does not really matter. As long as the initrd asks for the credentials of the swap or root partition, this is all pretty easy. But i don't think that our initrd does this (i actually don't know). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
I now installed from the RC3 BiArch DVD and it still does not let me encrypt the root partition. If that works, suspending and resuming from a swapfile inside the encrypted root partition might actually be quite easy, but i am not able to get it working. I just realized - encrypting root in the setup doesn't work. http://en.opensuse.org/Testing:Features_11.0#Support_root_on_encrypted_files...
https://bugzilla.novell.com/show_bug.cgi?id=397411
User freeform.reform@gmail.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c15
--- Comment #15 from Peter Keenig
It does not really matter. As long as the initrd asks for the credentials of the swap or root partition, this is all pretty easy. But i don't think that our initrd does this (i actually don't know). It's just that I had read http://kde.blogsite.org/?q=node/13 where the person explained that if you set up /boot unencrypted and then all other partitions encrypted in LVM, hibernate/resume would work without modifying the init script (although this decription is for Debian).
-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=397411
User funtasyspace@yahoo.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c16
--- Comment #16 from Jörg Hermsdorf
https://bugzilla.novell.com/show_bug.cgi?id=397411
Stefan Seyfried
https://bugzilla.novell.com/show_bug.cgi?id=397411
Stefan Seyfried
https://bugzilla.novell.com/show_bug.cgi?id=397411
User pavel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c19
--- Comment #19 from Pavel Machek
https://bugzilla.novell.com/show_bug.cgi?id=397411
User dbailey@datanetworks.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c20
David Bailey
https://bugzilla.novell.com/show_bug.cgi?id=397411
User seife@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c21
--- Comment #21 from Stefan Seyfried
https://bugzilla.novell.com/show_bug.cgi?id=397411
User jiivee@iki.fi added comment
https://bugzilla.novell.com/show_bug.cgi?id=397411#c22
Juha Virtanen
participants (1)
-
bugzilla_noreply@novell.com