In Zorin 18 Core, when disk encryption is enabled during install, is the Swap partition also encrypted?
Yes, LUKs is Whole Disk Encryption.
2 Likes
Welcome to the Forum!
Like @Aravisian already wrote: the whole disc will be encrypted.
But I would add something to Swap: By default there is no Swap Partition. It is a Swap File.
1 Like
Default is a swap file - but users also will add a Swap Partition if enabling Hibernate functionality.
I'll admit I may misunderstand what I'm seeing, but my swap partition seems to exist outside of what's encrypted:
Caveat: I'm running 17.3 still as 18 just doesn't offer me enough to do a full reinstall.
By default, the LUK's encryption is applied to the whole drive.
But this is not an always case.
Partitions can be included in the encryption - and it is recommended that they be so, otherwise they can be an avenue into accessing the drive contents.
Speaking only for 17.3, there aren't options to change encryption configuration beyond ZFS/LVM/encryption on/off. Whatever I have is the installer default at the time I installed it.
Naturally, which is why I'm somewhat concerned that I have a swap partition that doesn't appear to be encrypted. At install (I'm working from memory), the options are whether or not you want advanced settings. If you do, you get to choose to use ZFS and/or LVM. If you choose one of these, you may also choose encryption. There's no choice of what to encrypt, exclusions, etc.
Yes, this is kind of... weird.
If you choose Encrypt entire disk at the install, then the entire disk will be encrypted.
This creates a LUKS container, within which the partitions, including Swap Partition, would be contained.
If the user instead encrypts selected partitions manually, then this will contain only the partitions they choose.
I can guarantee you I never set any manual partitioning. I also don't recall an option at install time to enable or disable support for hibernation, although I feel like I remember seeing it on other distrbutions. I hate hibernation and go so far as to disable it even in windows to recover the space used by hiberfil.sys. It's entirely conjecture, but this feels to me like the installer intended to have a swap file, but made a swap partition anyway. At the time of 17.3's release, I mentioned very frequent errors at the point of writing the partition table that I more or less forced my way through, and that 17.3's installer felt much more problematic to me than 17.1's had.
...I hate to say it but right now I really mistrust the installer for 17.3. I don't believe anything was done maliciously, but something just isn't right, then or in what I see (in Disks) now.
It's my recollection that if I manually encrypt a partition that's needed at boot, I get separate passphrase prompts for each, which would make just encrypting my swap partition and calling it a day undesirable. 
I am not sure. I can tell you that the full disk will be encrypted when choosing that option at install.
But if anything was created after and not probed to the swapcrypt; maybe it was not later...
I am not even sure at this time if your swap IS outside of encryption.
I am SOMEWHAT more comfortable now, and think Disks may just be presenting information confusingly.
nvme0n1 259:0 0 3.6T 0 disk
├─nvme0n1p1 259:2 0 512M 0 part /boot/efi
├─nvme0n1p2 259:3 0 1.7G 0 part /boot
└─nvme0n1p3 259:4 0 3.6T 0 part
└─nvme0n1p3_crypt 253:0 0 3.6T 0 crypt
├─vgzorin-root 253:1 0 3.6T 0 lvm /
└─vgzorin-swap_1 253:2 0 1.9G 0 lvm [SWAP]
nvme1n1 259:1 0 3.6T 0 disk
├─nvme1n1p1 259:5 0 20.7G 0 part
└─nvme1n1p2 259:6 0 3.6T 0 part /mnt/bottles
lsblk looks to me like both the swap and / are under the crypt partition, which is good. /boot/efi and /boot seem not to be, but it's my vague recollection that getting them encrypted in LUKS is more difficult or requires specific configuration of GRUB. Either way, lsblk makes the swap partition look better.
These contain the EFI boot files and the Kernel boot- which must init before LUKS can.
Yes, your Swap is contained in the LUKS container.
Right. I was referring to this sort of thing when I said /boot and /boot/efi could be encrypted: Full disk encryption, including /boot: Unlocking LUKS devices from GRUB. It's not something I've attempted; /boot and /boot/efi don't particularly worry me. Even my (admitted) paranoia doesn't extend that far. 
1 Like
I used the auto feature of the OS 18 installer (peeked at manual partition, but backed out) and am confused by the result that I am seeing:
Both root and swap_1 are in /dev/vgzorin
What is the 1.8 GB Partition 2?
This is normal. Try using the lsblk command to see disks and partitions in a more useful way for this matter. It's the all text output I pasted above. If swap is under the partition marked crypt, then it's encrypted.
If you look up at the conversation @Aravisian and I had, he mentioned that /boot and /boot/efi need to be unencrypted in order for the system to boot enough to load LUKS (the encryption software), so it can read everything else. the 1.8 GB partition in your screenshot is /boot, and the 537 MB partition is /boot/efi. I still don't understand why Disks displays the swap partition the way it does, but your partition scheme looks identical to mine, so I'm fairly confident that lsblk will show your swap under the encrypted container.
Thanks! I understood about boot being outside the LUKS partition, but missed that boot/ and boot/efi were separate partitions. Everything is looking good and makes sense now.
I have added
lsblk to my list of useful commands!And two thumbs up for Zorin 18 for my use case. (openSUSE 15.6 was EOL, openSUSE 16.0 isn't ready for beta, and the Zorin 18 install went smoothly!)
1 Like
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.