Hello all.
I’m trying to understand the workings of hibernation on encrypted swap in Linux in general and NixOS in particular, and would greatly appreciate if someone could clarify my understanding on a few points. I am terribly sorry in advance if I have completely misunderstood the whole thing and none of my questions make sense.
-
Kernel documentation on the topic warns against mounting any filesystems between hibernation and resuming. At the same time, documentation for
fileSystems.<name>.neededForBoot
NixOS option indicates that at least/nix/store
is mounted in the initial ramdisk. Am I to understand that this doesn’t happen when resuming? -
If so, how does that interact with
swapDevices.*.encrypted.keyFile
NixOS option? Its documentation suggests that all of theneededForBoot
filesystems are mounted prior to consulting this file; am I to understand that this, too, doesn’t happen when resuming from hibernation, and so the swap partition used for hibernation cannot be encrypted with a key file? -
But it can be encrypted with a password, right? As in, if I just set
swapDevices.*.encrypted.enable
,.blkDev
and.label
, and set up encrypted partition accordingly, hibernation should (at least in theory) work and not leave me at a risk of data loss implied in p.1? Arch wiki article on the topic suggests adding custommkinitcpio
hook — is that relevant for NixOS? -
On a somewhat tangential note,
boot.resumeDevice
option documentation seems to indicate that swap devices should be tried automatically, but on my (normally booted) system there are noresume=
parameters in/proc/cmdline
, and/sys/power/resume
is0:0
, which are the two ways the aforementioned kernel documentation page suggests for specifying resume device (I do have swap enabled, as verified bylsblk
). Is this done through some separate mechanism, or should I disregard the documentation and specifyboot.resumeDevice
manually? Or the relevant kernel options are somehow provided only if there is a hibernation image?
I suppose some of these questions are answerable with a bit of experimentation on my end, but after seeing stern warnings about data loss in kernel docs I am a bit anxious about blindly trying things without checking my understanding first.