Announcement

**gfunk** · 05 May 2022, 06:46 AM

good to see.. I think a lot of people are using unencrypted swap partitions for hibernation

also be nice to see an easier way to setup the unlocking of an encrypted drive via TPM although I guess this is down to how/if distros offer it

**Old Grouch** · 05 May 2022, 07:11 AM

I use two partitions on my SSD - a non-encrypted ESP, and a LUKS encrypted partition which contains LVM encrypted volumes, including /boot. One of the LVM volumes is swap. So my hibernate is encrypted.

I'm obviously ignorant of the benefits of Google's approach here: could someone outline the benefits compared to my set-up?

**bzs0** · 05 May 2022, 07:19 AM

Love to see this change. I already do hibernation to encrypted swap based on TPM but it took a while to figure out. An automatic way to set it up and rejection of resuming from unencrypted snapshot would boost ease of use and confidence.

Originally posted by gfunk View Post

an easier way to setup the unlocking of an encrypted drive via TPM

`systemd-cyrptenroll` might be what you're looking for, for generic partitions. Should be offered by most up-to-date distros

**archkde** · 05 May 2022, 07:40 AM

Originally posted by Old Grouch View Post

I use two partitions on my SSD - a non-encrypted ESP, and a LUKS encrypted partition which contains LVM encrypted volumes, including /boot. One of the LVM volumes is swap. So my hibernate is encrypted.

I'm obviously ignorant of the benefits of Google's approach here: could someone outline the benefits compared to my set-up?

As already stated in the article, Google wants a hibernation implementation that makes it impossible for malicious userspace to tamper with the kernel itself. Concretely, with your approach (which, coincidentally, I happen to use myself as well), userspace may write a malicious hibernation image which can be used to inject unauthorized code into the kernel on resume.
Now, malicious userspace already has the potential to do pretty much all damage it may want to (including stealing and/or wiping your data), I'm not convinced of the direct benefits for regular desktop use-cases. An indirect benefit may be that hibernation may finally work with integrity lockdown enabled, which includes by default most distributions on Secure Boot systems.

**schmidtbag** · 05 May 2022, 08:11 AM

Encrypted hibernation isn't something I ever thought about but it is a good idea.

**darkbasic** · 05 May 2022, 08:58 AM

Finally, this was much needed.

**ClosedSource** · 05 May 2022, 09:12 AM

Originally posted by schmidtbag View Post

Encrypted hibernation isn't something I ever thought about but it is a good idea.

A necessity. Try running "strings /dev/your/swap".

**anarki2** · 05 May 2022, 11:01 AM

They might as well fix unencrypted hibernation first. It literally never ever worked for me.

**waxhead** · 05 May 2022, 12:40 PM

Originally posted by anarki2 View Post

They might as well fix unencrypted hibernation first. It literally never ever worked for me.

Apparently hibernate to multiple smaller swap devices is a no-go for some reason. Could this be your problem too? Try one large swap device and see if it works for you.

Announcement

Google Working On Linux Encrypted Hibernation Support

Google Working On Linux Encrypted Hibernation Support

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment