Configure hibernation with encrypted (luks) swap partition

simdll · June 2, 2025, 8:01pm

Hi,
I have been using EndeavourOS on my laptop for over a year with satisfaction. However these days I wanted to configure hibernation. I have EOS In dual boot with W11 (no secure boot) on a btrfs partition encrypted with luks, I use grub as bootloader. I use zram for swap (I have 40GB of ram and 16 of swap). So I created a new 50GB partition for swap and encrypted it with luks.
My goal is that this partition is automatically decrypted at boot (obviously after I manually opened the root partition) and that it is used only for hibernation.
I created a key to open the swap partition and added the partition to /etc/crypttab so that it is automatically opened by systemd and I also added it to /etc/fstab.
Then I added to GRUB_CMDLINE_LINUX_DEFAULT resume=UUID=UUID_OF_SWAP_PARTITION
and created the configuration /etc/dracut.conf.d/resume.conf like this:

add_dracutmodules+=" resume crypt "
install_items+=" KEY_OF_SWAP_PARTITION_PATH "

Then I regenerated the initramfs and the grub configuration, but I get this error when I try to hibernate the system:
Call to Hibernate failed: Specified resume device is missing or is not an active swap device
I’m pretty sure that the swap partition is decrypted fine automatically because from swapon --show I get:

NAME TYPE SIZE USED PRIO
/dev/zram0 partition 16G 0B 100
/dev/dm-1 partition 50G 0B -2

where /dev/dm-1 corresponds to /dev/mapper/swap_luks, the mount point of the partition (/dev/mapper/swap_luks and /dev/dm-1 have the same UUID, so I think it’s a simple link.)
What am I doing wrong? How can I get hibernation working?

If it helps here are some logs:

>$ journalctl -b -1 -k | grep -i "resume\\|swap\\|hibernate\\|luks\\|dm-1\\|panic"
giu 02 15:47:25 host kernel: Command line: BOOT_IMAGE=/@/boot/vmlinuz-linux-zen root=UUID=eb80cf8c-c9a5-XXXX-XXXX-7c08272ff5f5 rw rootflags=subvol=@ quiet splash nowatchdog nvme_load=YES rd.luks.uuid=b9c87837-05f4-XXXX-XXXX-51dec062a99b loglevel=3 resume=UUID=5e749008-2986-XXXX-XXXX-6defea28bf4f
giu 02 15:47:25 host kernel: Kernel command line: BOOT_IMAGE=/@/boot/vmlinuz-linux-zen root=UUID=eb80cf8c-c9a5-XXXX-XXXX-7c08272ff5f5 rw rootflags=subvol=@ quiet splash nowatchdog nvme_load=YES rd.luks.uuid=b9c87837-05f4-XXXX-XXXX-51dec062a99b loglevel=3 resume=UUID=5e749008-2986-XXXX-XXXX-6defea28bf4f rd.luks.name=5e749008-2986-XXXX-XXXX-6defea28bf4f=swap_luks
giu 02 15:47:25 host kernel: Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
giu 02 15:47:25 host kernel: simple-framebuffer simple-framebuffer.0: [drm] Registered 1 planes with drm panic
giu 02 15:47:25 host kernel: zswap: loaded using pool zstd/zsmalloc
giu 02 15:47:25 host systemd[1]: Reached target Swaps.
giu 02 15:49:41 host kernel: BTRFS: device fsid eb80cf8c-c9a5-XXXX-XXXX-7c08272ff5f5 devid 1 transid 276180 /dev/mapper/luks-b9c87837-05f4-XXXX-XXXX-51dec062a99b (253:0) scanned by mount (752)
giu 02 15:46:26 host systemd[1]: Reached target Block Device Preparation for /dev/mapper/luks-b9c87837-05f4-XXXX-XXXX-51dec062a99b.
giu 02 15:46:26 host systemd[1]: Reached target Block Device Preparation for /dev/mapper/swap_luks.
giu 02 15:46:26 host systemd[1]: Activating swap /dev/mapper/swap_luks...
giu 02 15:46:26 host systemd[1]: Clear Stale Hibernate Storage Info was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/HibernateLocation-8cf2644b-4b0b-XXXX-XXXX-6d876050dc67).
giu 02 15:46:26 host kernel: Adding 52426748k swap on /dev/mapper/swap_luks.  Priority:-2 extents:1 across:52426748k SS
giu 02 15:46:26 host systemd[1]: Activated swap /dev/mapper/swap_luks.
giu 02 15:46:27 host kernel: Adding 16777212k swap on /dev/zram0.  Priority:100 extents:1 across:16777212k SSDsc
giu 02 15:46:43 host init: Command 'write /proc/sys/kernel/panic_on_oops 1' action=init (/system/etc/init/hw/init.rc:227) took 0ms and failed: Unable to write to file '/proc/sys/kernel/panic_on_oops': open() failed: Read-only file system

Thanks for any help
sim

dalto · June 2, 2025, 8:03pm

What does cat /proc/cmdline return?

simdll · June 3, 2025, 6:11am

BOOT_IMAGE=/@/boot/vmlinuz-linux-zen root=UUID=eb80cf8c-c9a5-XXXX-XXX-7c08272ff5f5 rw rootflags=subvol=@ quiet splash nowatchdog nvme_load=YES rd.luks.uuid=b9c87837-05f4-XXXX-XXXX-51dec062a99b loglevel=3 resume=UUID=5e749008-2986-XXXX-XXXX-6defea28bf4f

dalto · June 3, 2025, 10:38am

If your swap partition is encrypted, shouldn’t your resume device be pointed to open crypt device, not the UUID of the actual partition?

simdll · June 3, 2025, 1:39pm

I tried, but it didn’t work because grub didn’t find the swap partition at startup (to load the contents of the ram after Hibernation).
I think I should be able to open the swap partition directly from grub and not systemd, but automatically, since it’s very inconvenient to have to enter the root partition password and also the swap password at every startup. Is there any way to do this?
Thanks for your help
sim

dalto · June 3, 2025, 1:49pm

Yes, you need to add another rd.luks.uuid= for your swap partition.

simdll · June 3, 2025, 2:02pm

Ok, thanks
But withc UUID sould I put in grub comman line:

>$ sudo blkid /dev/nvme0n1p9
/dev/nvme0n1p9: UUID="2a5f9cc8-e250-4492-XXXX-a2df1f02b71e" TYPE="crypto_LUKS" PARTUUID="2b4679cf-5c23-49cb-XXXX-1454787a8c13"

UUID or PARTUUID?

dalto · June 3, 2025, 2:17pm

UUID is what you want.

simdll · June 3, 2025, 2:31pm

Ok, I have tried to follow yours suggestion.

>$ cat /proc/cmdline
BOOT_IMAGE=/@/boot/vmlinuz-linux-zen root=UUID=eb80cf8c-c9a5-4ea5-a2e1-7c08272ff5f5 rw rootflags=subvol=@ quiet splash nowatchdog nvme_load=YES rd.luks.uuid=b9c87837-05f4-4f84-a23b-51dec062a99b loglevel=3 rd.luks.uuid=2a5f9cc8-e250-4492-a8c3-a2df1f02b71e resume=UUID=12ae739d-94d5-4fb6-b459-a9e97213cd1a

(UUID’s are differents because I have recrated the swap partition)

>$ sudo blkid /dev/mapper/luks-2a5f9cc8-e250-4492-a8c3-a2df1f02b71e 
/dev/mapper/luks-2a5f9cc8-e250-4492-a8c3-a2df1f02b71e: UUID="12ae739d-94d5-4fb6-b459-a9e97213cd1a" TYPE="swap"
>$ sudo blkid /dev/nvme0n1p9 
/dev/nvme0n1p9: UUID="2a5f9cc8-e250-4492-a8c3-a2df1f02b71e" TYPE="crypto_LUKS" PARTUUID="2b4679cf-5c23-49cb-ac94-1454787a8c13"

>$ sudo cat /etc/crypttab 
# <name>               <device>                         <password> <options>
luks-b9c87837-05f4-4f84-a23b-51dec062a99b UUID=b9c87837-05f4-4f84-a23b-51dec062a99b     KEYFILE luks
swap_luks UUID=2a5f9cc8-e250-4492-a8c3-a2df1f02b71e /etc/keys/swap_keyfile luks,discard,noearly

>$ sudo cat /etc/fstab 
# <file system>             <mount point>  <type>  <options>  <dump>  <pass>
UUID=7D09-56F1                            /boot/efi      vfat    fmask=0137,dmask=0027 0 2
/dev/mapper/luks-b9c87837-05f4-4f84-a23b-51dec062a99b /              btrfs   subvol=/@,noatime,compress=zstd 0 0
/dev/mapper/luks-b9c87837-05f4-4f84-a23b-51dec062a99b /home          btrfs   subvol=/@home,noatime,compress=zstd 0 0
/dev/mapper/luks-b9c87837-05f4-4f84-a23b-51dec062a99b /var/cache     btrfs   subvol=/@cache,noatime,compress=zstd 0 0
/dev/mapper/luks-b9c87837-05f4-4f84-a23b-51dec062a99b /var/log       btrfs   subvol=/@log,noatime,compress=zstd 0 0
tmpfs                                     /tmp           tmpfs   defaults,noatime,mode=1777 0 0
/dev/disk/by-uuid/0CE82F3DE82F2484 /mnt/0CE82F3DE82F2484 ntfs nosuid,nodev,nofail,x-gvfs-show 0 0
/dev/disk/by-id/usb-Kingston_DT_microDuo_3C_1C1B0D0194C9E570E9810639-0:0-part1 /mnt/usb-Kingston_DT_microDuo_3C_1C1B0D0194C9E570E9810639-0:0-part1 auto nosuid,nodev,nofail,noauto,x-gvfs-show 0 0

/dev/mapper/swap_luks none swap defaults,discard,pri=-2 0 0

This time during the boot process I had to manualy type the swap partition password (I guess because grub doesn’t know where find the /etc/keys/swap_keyfile).
Is possible to solve this?
Thank you
sim

dalto · June 3, 2025, 2:39pm

I don’t know if grub supports unlocking from a keyfile when that keyfile is stored on another encrypted volume.

simdll · June 3, 2025, 2:43pm

My ideas is this:
I turn on my laptop
I put the root volume password
then grub is loaded
grub has to take the keyfile form the root partition and decript the swap partition (this is the point that I would like to implement)
grub pass the controll to the kernel and initramfs

Do you think that systemd-boot could solve the problem?

dalto · June 3, 2025, 2:46pm

Are you using the same password for both luks partitions?

simdll · June 3, 2025, 2:47pm

No

Schlaefer · June 3, 2025, 2:52pm

Did you check the section about the key-path: https://wiki.archlinux.org/title/Dm-crypt/System_configuration#rd.luks.key

PS: May I suggest a swap file instead? Setup is very easy (see e.g. Arch wiki) and you avoid these issues.

simdll · June 3, 2025, 2:56pm

Yes, I had think about that, but a 40GB swap file take a lot of space on my root partition and for doing it I have to extend the partition, that is a btrfs encrypted partition, so I’m not very confident to do this. Do you think it is a good solution?

simdll · June 3, 2025, 3:17pm

Following the istruction on the arch linux wiki I finaly get the swap partition open correctly form grub. but when I try to Hibernate my laptop seems that the system go only in the normal suspension (just tap space bar to wake up the system). Shouldn’t hibernation save the contents of the ram and turn off the pc? How long does it take? I don’t get any error messages.
EDIT:
The problem was an old systemd configuration
Now hibernation finally works! Thanks @dalto and @Schlaefer for your precious help.

sim

Schlaefer · June 3, 2025, 3:34pm

When it works it writes everything to disk and powers off. Don’t know what the hibernation failing behavior is: Should it do nothing or just suspend instead? Check journalctl what is requested/if something is failing.

system · June 5, 2025, 3:34pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.