Zum Inhalt

Schlagwort: unlock

How to hibernate and resume from swap file in Ubuntu 20.04 using full disk encryption

On my laptop, I am running full disk encryption (LUKS with a single encrypted ext4 partition), and a single, large swap file as large as my system RAM (16GB).

Here's how to make it work:

Make your swapfile have at least the size of your systems RAM:

sudo swapoff /swapfile
sudo dd if=/dev/zero of=/swapfile bs=$(cat /proc/meminfo | grep MemTotal | grep -oh '[0-9]*') count=1024 conv=notrunc
sudo mkswap /swapfile
sudo swapon /swapfile

Note the UUID of the partiton containing your swapfile:

$ sudo findmnt -no SOURCE,UUID -T /swapfile
/dev/nvme0n1p5 20562a02-cfa6-42e0-bb9f-5e936ea763d0

Reconfigure the package uswsusp correctly:

sudo apt -y install uswsusp
sudo dpkg-reconfigure -pmedium uswsusp
# Answer "Yes" to continue without swap space
# Select "/dev/disk/by-uuid/20562a02-cfa6-42e0-bb9f-5e936ea763d0" replace the UUID with the result from the previous findmnt command
# Encrypt: "No"

Edit the SystemD hibernate service using sudo systemctl edit systemd-hibernate.service and fill it with the following content:

ExecStartPre=-/bin/run-parts -v -a pre /lib/systemd/system-sleep
ExecStartPost=-/bin/run-parts -v --reverse -a post /lib/systemd/system-sleep

Note the offset of your swapfile relative to the partition start:

$ sudo swap-offset /swapfile
resume offset = 34818

Tell grub to resume by editiing your etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="resume=UUID=20562a02-cfa6-42e0-bb9f-5e936ea763d0 resume_offset=34818 quiet splash"

Update grub:

sudo update-grub

Create /etc/initramfs-tools/conf.d/resume

RESUME=UUID=20562a02-cfa6-42e0-bb9e-5e936ea763d0 resume_offset=34816
# Resume from /swapfile

Update initramfs:

sudo update-initramfs -u -k all

Now you can just hibernate your system with

sudo systemctl hibernate

Unlock your /home partition and other volumes with cryptsetup on boot (Ubuntu 17.10 / systemd)

With Ubuntu 17.10 using systemd 234-2ubuntu12.1 (as of me writing this) you cannot just do it the obvious way:

This will create lines and/or keyfiles in /etc/crypttab, which systemd happily ignores. At least the unit-files systemd will generate on the fly will fail.

The way to do it, is adding the correct kernel boot parameters luks.uuid= and luks.options= lines to your grub config file.

For Ubuntu, i had to change /etc/default/grub from



GRUB_CMDLINE_LINUX="luks.uuid=c142f353-fbe8-4965-931e-c9b1e9503fcd luks.uuid=91d55cef-d26c-4e42-8d97-c17a8df79c58 luks.options=timeout=90s"

Fun fact: if you leave out the timeout specification, systemd will simply not ask for the password, stating the timeout expired ^_^

After changing the file, run

sudo update-grub

Leave a Comment