Encrypted partitions (LUKS) with login password + hibernate

Question

on my company laptop I have Windows 11, that has encrypted disk, working hibernate, at I need to provide password just once at log-in. I would like to have same on my personal laptop with Ubuntu. RN I have Ubuntu 20.04. with some mess in it, so I would like to do clean install of Ubuntu 22.04. and want to know what is best and easiest way to encrypt partitions (LUKS, or maybe something else?) that will allow me to skip GRUB, and would unlock disk/partitions at log-in with login password. At the same time I would need / require a working hibernate. Note that I don't use SWAP file but partition.

RN I use this configuration for hibernation: https://gist.github.com/Mlocik97/5936fa55d4971f05c6a1c0fb10c4c9bb aka I set sudo gedit /etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla file with content:

[Enable hibernate in upower]
Identity=unix-user:*
Action=org.freedesktop.upower.hibernate
ResultActive=yes
[Enable hibernate in logind]
Identity=unix-user:*
Action=org.freedesktop.login1.hibernate;org.freedesktop.login1.handle-hibernate-key;org.freedesktop.login1;org.freedesktop.login1.hibernate-multiple-sessions;org.freedesktop.login1.hibernate-ignore-inhibit
ResultActive=yes

But it works because I don't have SWAP encrypted. I set resume param like GRUB_CMDLINE_LINUX_DEFAULT="quiet splash resume=/dev/nvme0n1p3" in /etc/default/grub file, but now when I turn on computer, GRUB menu shows, even tho Ubuntu is only system on my personal laptop, and I would like to skip that step.

I tried in VMs (QEMU/KVM) to install Ubuntu 22.04. with encrypted virtual disk (LUKS), that installer gave me as option on LVM partitions, but when I did it, I needed to give it password twice, once for unlocking disk/partitions, and second time at login, I think it's annoying and would like if I could give it password just once.

So I'm solving two problems, making hibernate works with encrypted SWAP, and unlock of partitions works with login password. Can someone help me, please?

Answer 1

This answer is for enabling hibernate with an encrypted swap partition. This answer does not deal with using TPM or other means of bypassing the LUKS password prompt.

Hibernate with LUKs Encrypted Swap Partition

Outline and References

First Increase swap partition:

Changing Swap size on encrypted LVM? (kubuntu 20.04 installation)

Second Enable hibernate

Increase size of encrypted swap https://gist.github.com/tjvr/f82004565139a5b13031af1ce5a50a02

1. Decrease root and increase swap partitions

Introduction

Install Ubuntu in your laptop using the default installation process. Choose LUKS (and LVM) under advanced option. Test the system to make sure everything works.

My laptop had 4GB RAM and a 1GB encrypted swap partition from the installation process. I used the formula of:

New Swap Partition Size = Size of RAM + Sqrt(Size of RAM)

So I needed a 6GB swap. That is, I needed to add 5GB to the existing swap partition.

The actual process

Note: The partition numbers, logical volume names etc. are from a clean default installation (with encryption) of Ubuntu 22.04 on a laptop with no other OS. YMMV.

Boot from the Ubuntu Live Installation USB and use the "Try Ubuntu" option.

Open a terminal and run subsequent commands as superuser

sudo su

The encrypted device should NOT be unlocked. Verify with:

lsblk 

The output should not have any crypt or lvm.

Unlock encrypted device

cryptsetup open /dev/sda4 crypt 

Enter the LUKS passphrase when prompted.

Get the logical volume identifiers

lsblk
└─sda4                  8:6    0 464,6G  0 part
└─sda4_crypt        253:0    0 464,5G  0 crypt
├─vgubuntu-root   253:1    0 463,6G  0 lvm   /
└─vgubuntu-swap_1 253:2    0   980M  0 lvm   [SWAP]

Shrink logical root volume AND filesystem.

lvresize --verbose --resizefs -L -5G /dev/mapper/vgubuntu-root
lvresize <volume> => resize a logical volume
--verbose  => Give more info.
--resizefs => Resize filesystem AND LV with fsadm(8).
-L         => Specifies the new size of the LV,
+/- add/subtracts to/from current size, g|G is GiB.

Check filesystem of logical root volume for errors

e2fsck -f /dev/mapper/vgubuntu-root
e2fsck<fs-path> => Check a Linux ext2/ext3/ext4 file system
-f => Force checking even if the file system seems clean.

Increase swapsize

lvresize --verbose -L +5G /dev/mapper/vgubuntu-swap_1

close the terminal and reboot to the internal LUKS encrypted drive.

The command free shows the old swap size.

Source: Increase size of encrypted swap

The following commands in the terminal should fix this:

sudo swapoff -a  
sudo cryptsetup resize vgubuntu-swap_1
sudo mkswap /dev/mapper/vgubuntu-swap_1 
sudo swapon -a 

Use the free command again to verify that you have the swap size you need.

2. Enable Hibernate to Swap

Note: I didn't have to make any changes to (or create) the file /etc/polkit-1/localauthority/50-local.d/com.ubuntu.enable-hibernate.pkla as mentioned in the question.

Edit the file /etc/initramfs-tools/conf.d/resume and add:

RESUME=/dev/mapper/vgubuntu-swap_1

Edit the file /etc/default/grub to make the line starting with GRUB_CMDLINE_LINUX_DEFAULT look like:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash resume=/dev/mapper/vgubuntu-swap_1"

The next two command will update intramfs and grub respectively:

sudo update-initramfs -u -k all
sudo update-grub
sudo reboot

To test run:

sudo systemctl hibernate

If all goes well your laptop should hibernate.

Hope this helps