Persistently encrypted swap seems to be supported

[tie-ling]

I use systemctl sleep, which invokes suspend-then-hibernate by default. This is useful in preventing data loss, when laptop battery reaches 5% while suspended-to-RAM.

In master branch, inside lib/types/swap.nix, it remarks, " TODO: we don't support encrypted swap yet". It seems that, at least NixOS configuration generation is well supported. I tested the following config, and it Just Works with systemctl hibernate. Everything is resumed upon next boot.

{
  # see https://github.com/nix-community/disko/tree/master/example
  disko.devices = {
    disk = {
      main = {
        type = "disk";
        content = {
          type = "gpt";
          partitions = {
            # gpt-bios-compat
            boot = {
              size = "1M";
              type = "EF02"; # for grub MBR
            };
            ESP = {
              size = "1024M";
              type = "EF00";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "umask=0077" ];
              };
            };
            encryptedSwap = {
              # for hibernation (suspend to disk)
              # should be no less than RAM size
              size = "8G";
              content = {
                type = "luks";
                name = "cryptedSwap";
                settings.allowDiscards = true;
                # do not use keyFile
                # as keyFile will need to be within initrd in /boot
                # which is unencrypted
                # systemd initrd will reuse password for /,
                # if passwd for swap and / are the same
                passwordFile = "/tmp/secret.key";
                content = {
                  type = "swap";
                  resumeDevice = true;
                  randomEncryption = false;
                };
              };
            };
            luks = {
              size = "100%";
              content = {
                type = "luks";
                name = "crypted";
                settings.allowDiscards = true;
                passwordFile = "/tmp/secret.key";
                content = {
                  type = "filesystem";
                  format = "xfs";
                  mountpoint = "/";
                };
              };
            };
          };
        };
      };
    };
  };
}

It remains to be seen, whether automated partitioning during NixOS installation works. I do not have an opportunity to test this at the moment.

[tie-ling]

Background information:

from systemd-sleep.conf(5):

suspend-then-hibernate

A low power state where the system is initially suspended (the state is stored in RAM). When the battery level is too low (less than 5%) or a certain timespan has passed, whichever happens first, the system is automatically woken up and then hibernated. This establishes a balance between speed and safety.

from logind.conf(5)

SleepOperation=

Takes a list of sleep operations. Possible values are "suspend", "hibernate", "hybrid-sleep", and "suspend-then-hibernate". Controls the candidate sleep operations for the "sleep" action. When "sleep" action is performed, the specified sleep operations are checked in a fixed order ("suspend-then-hibernate" → "hybrid-sleep" → "suspend" → "hibernate"), and the first one supported by the machine is used to put the system into sleep. Defaults to "suspend-then-hibernate suspend hibernate".

[johanjk]

Your example uses unencrypted swap on an encrypted luks volume.

disko/example/swap.nix

Lines 28 to 35 in 67ff980

	encryptedSwap = {
	size = "10M";
	content = {
	type = "swap";
	randomEncryption = true;
	priority = 100; # prefer to encrypt as long as we have space for it
	};
	};

The above is what is meant by encrypted swap.

As an aside, I would generally suggest running your swap and root file system as part of one luks partition with lvm. This gives you only one encrypted volume on your disk.

Example:

{
  disko.devices = {
    disk = {
      p1 = {
        type = "disk";
        device = "/dev/nvme0n1";
        content = {
          type = "gpt";
          boot = {
            size = "1M";
            type = "EF02";
          };
          ESP = {
            size = "1024M";
            type = "EF00";
            content = {
              type = "filesystem";
              format = "vfat";
              mountpoint = "/boot";
              mountOptions = [ "umask=0077" ];
            };
          };
          luks = {
            priority = 100;
            label = "disk1";
            size = "100%";
            content = {
              type = "luks";
              name = "main_crypted";
              # ...
              content = {
                type = "lvm_pv";
                vg = "pool_main";
              };
            };
          };
        };
      };
    };

    lvm_vg = {
      pool_main = {
        type = "lvm_vg";
        lvs = {
          swap = {
            size = "8G";
            content = {
              type = "swap";
              resumeDevice = true;
            };
          };
          main = {
            size = "100%";
            content = {
              type = "filesystem";
              format = "xfs";
              mountpoint = "/";
            };
          };
        };
      };
    };
  };
}

[tie-ling]

Thanks. But I think the distinction is a bit pedantic, since randomEncryption uses plain dm-crypt volumes.

From cryptsetup(8): The difference is that LUKS uses a metadata header and can hence offer more features than plain dm-crypt. On the other hand, the header is visible and vulnerable to damage.

I prefer not using abstractions on my disk, I was running root on ZFS for a while and the performance really took a hit. System rescue is also a bit more involved. I also prefer to have swap on a separate partition, as opposed to a swapfile, ever since the swapfile debacle back in 2021