Encrypted swap support
I'd like to use a LUKS encrypted swap. I'd want to use the same passphrase as my main partition, so that I can type just one passphrase during system startup.
As far as I understand, it should be possible to:
- prompt for the encryption password for the root partition
- inject the passphrase as a token into the kernel keyring before calling
crypt_activate_by_passphrase - then try to unlock the swap partition with that token:
cryptsetup-open --token-only ... - if that worked, then swap is unlocked
- if that failed, then fall back to asking for passphrase
See also cryptsetup-token(8). Notably:
--token-only
Do not proceed further with action if token based keyslot unlock
failed. Without the option, action asks for passphrase to proceed
further.
It allows LUKS2 tokens protected by PIN to take precedence over
interactive keyslot passphrase prompt.Edited by Hugo Barrera