[Bug 1066342] Re: Reinstalling over a previous installation with encrypted swap displays a "Continue without swap" warning dialog

John Gilmore 1066342 at bugs.launchpad.net
Thu May 28 04:25:52 UTC 2015 

This is not fixed in Ubuntu-Gnome 14.04.2 LTS.

I recently installed Ubuntu-Gnome 14.04.2 LTS on a few machines and
invented a workaround.  The script that sets up encrypted swap (/usr/bin
/ecryptfs-setup-swap) should first do a mkswap on the partition (if it
isn't already set up), then use the "offset=" parameter in crypttab to
avoid clobbering the first bytes of the swap partition.  I set it to
2048 (512-byte blocks, totaling 1MB) because megabyte alignment of
partitions is now the default for avoiding performance issues in disk
drives with various physical block sizes, yet losing only 1 megabyte
from a swap partition is a tiny fraction of a modern swap partition, and
thus easily tolerable.

My crypttab currently reads:
cryptswap1 UUID=b742ddee-4f75-4826-9c43-2a08778560d4 /dev/urandom swap,cipher=aes-xts-plain64:sha256,size=512,offset=2048

The relevant change is "offset=2048" on the end.

This does not allow the installer to automatically detect swap from a PREVIOUSLY encrypted swap partition that starts at offset=0.  But if the installer starts doing this now, FUTURE installers will be able to see the swap partition as a swap partition,
and can use it either encrypted or not.

Also, this allows the swap partition to be detected via its UUID.  When encrypted with the offset defaulting to zero, it encrypts
the UUID, puts the UUID into crypttab, and then subsequent reboots cannot find the swap partition.

One additional change is in this crypttab for your consideration:  I
changed from the default cipher to aes-xts-plain64 (and the key size
from 256 to 512) because the dm-crypt documentation says it's a better
choice than the default.

I also recommend that the installer provide a checkbox to allow users to
encrypt their swap partition even if they don't encrypt their file
systems or drives.  This is because active keys and other valuable data
needing protection often exist in process address spaces that get
written to the swap partition.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubiquity in Ubuntu.
https://bugs.launchpad.net/bugs/1066342

Title:
  Reinstalling over a previous installation with encrypted swap displays
  a "Continue without swap" warning dialog

Status in ubiquity package in Ubuntu:
  Confirmed

Bug description:
  Quantal Desktop 20121012.3

  TEST CASE
  1. Install Ubuntu once with the 'Encrypt home directory' option selected in user setup
  2. Install it a second time, and in partman select "Reinstall Ubuntu 12.10"

  ACTUAL RESULT
  A warning dialog "Continue without swap" is displayed. 
  So the user can:
  1. Reinstall but without swap
  2. Use the manual partitioner but then he cannot reinstall
  3. Format the swap space manually which is a highly technical task.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.10
  Package: ubiquity (not installed)
  ProcVersionSignature: Ubuntu 3.5.0-17.28-generic 3.5.5
  Uname: Linux 3.5.0-17-generic x86_64
  ApportVersion: 2.6.1-0ubuntu3
  Architecture: amd64
  Date: Sat Oct 13 18:55:14 2012
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: ubiquity
  UpgradeStatus: Upgraded to quantal on 2012-01-31 (255 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1066342/+subscriptions

More information about the foundations-bugs mailing list