Encrypted swap on external disk
47 views
Skip to first unread message
admi...@gmail.com
May 24, 2016, 4:23:50 PM5/24/16
to qubes-users
Hi,
I would like to have an encrypted swap on external disk with random generated key on every boot. And..
There's one problem. The Template VM has only /dev/xvdc as swap memory, but AppVMs has /dev/xvdc which was parted to /dev/xvdc1 (1GB swap) and /dev/xvdc2.
So when I set up the /dev/xvdc in /etc/crypttab it cause that AppVM can't boot. The AppVM can't decrypt and mount that disk.
I can use /dev/xvdc1 but I'm afraid that then Template VMs wouldn't start.
Apart from this I would like to have at least 8GB swap.
I'm hoping that symlink on volatile.img (is it swap file?) to extarnal drive will work.
I would like to have an encrypted swap on external disk with random generated key on every boot. And..
There's one problem. The Template VM has only /dev/xvdc as swap memory, but AppVMs has /dev/xvdc which was parted to /dev/xvdc1 (1GB swap) and /dev/xvdc2.
So when I set up the /dev/xvdc in /etc/crypttab it cause that AppVM can't boot. The AppVM can't decrypt and mount that disk.
I can use /dev/xvdc1 but I'm afraid that then Template VMs wouldn't start.
Apart from this I would like to have at least 8GB swap.
I'm hoping that symlink on volatile.img (is it swap file?) to extarnal drive will work.
Can anobody tell me how to get it?
Another way which will be enough for me is that the qubes has one big swap, but I'd prefer the first option becouse this one can cause a problem during boot qubes when something goes wrong with my second drive.
Regards
Adrian
Vít Šesták
May 26, 2016, 12:40:00 PM5/26/16
to qubes-users, admi...@gmail.com
Well, there is a volatile partition (seemingly /dev/xvdc) that contains a 1GiB swap and modifications from root filesystem. It is backed by volatile.img file. The symlink approach (provided that you link them to a partition with temporary per-boot key) will essentially do the job, except that you have to recreate the symlinks at the right time. (The encryption key is discarded after shutdown of whole VM, though.) Moreover, you have to skip DVMs, because they need the volatile.img file.
So, I've modified some script that is responsible for volatile.img creation. The modification works on Qubes 3.0 and might need some adjustment for 3.1. See https://github.com/QubesOS/qubes-issues/issues/1527 for more details.
The size of swap is (or used to be) hadcoded in the script for creating volatile.img. In 3.1, you might also need some adjustment of the initramfs of the particular AppVM, because partitioning script has been moved there.
Note that modification of those scripts implies that you need to reapply them after some system updates unless they are upstreamed.
Regards,
Vít Šesták 'v6ak'
So, I've modified some script that is responsible for volatile.img creation. The modification works on Qubes 3.0 and might need some adjustment for 3.1. See https://github.com/QubesOS/qubes-issues/issues/1527 for more details.
The size of swap is (or used to be) hadcoded in the script for creating volatile.img. In 3.1, you might also need some adjustment of the initramfs of the particular AppVM, because partitioning script has been moved there.
Note that modification of those scripts implies that you need to reapply them after some system updates unless they are upstreamed.
Regards,
Vít Šesták 'v6ak'
Reply all
Reply to author
Forward
0 new messages