encrypted swap device not correctly configured on fresh raring install

The setup of /etc/crypttab comes from the installer, not from cryptsetup; reassigning.

Dmitrijs, does this issue sound familiar to you?

It's meant to write UUIDs.

James, could we please have installer logs for this?

Wait, swap - I misread. ecryptfs-setup-swap looks up the UUID but doesn't write it out in crypttab. That seems like a bug there.

And in fact it'd need to look up the LUKS UUID anyway in order to write it to crypttab. Compare partman-crypto:

        # Use UUID for LUKS devices
        if cryptsetup isLuks "$source"; then
                local uuid=$(cryptsetup luksUUID "$source")
                source="UUID=$uuid"
        fi

        # Add entry to crypttab
        echo "$target $source $keyfile $opts" >> /target/etc/crypttab

and ecryptfs-setup-swap:

        info `gettext "Setting up swap:"` "[$swap]"
        uuid=$(blkid -o value -s UUID $swap)
        for target in "UUID=$uuid" $swap; do
                if [ -n "$target" ] && grep -qs "^$target " /etc/fstab; then
                        sed -i "s:^$target :\#$target :" /etc/fstab
                        warn "Commented out your unencrypted swap from /etc/fstab"
                fi
        done

        while :; do
                i=$((i+1))
                [ -e "/dev/mapper/cryptswap$i" ] || break
        done
        # Add crypttab entry
        echo "cryptswap$i $swap /dev/urandom swap,cipher=aes-cbc-essiv:sha256" >> /etc/crypttab

Assuming my analysis is correct, this is not a regression: it dates back at least to precise.

=== modified file 'src/utils/ecryptfs-setup-swap'
--- src/utils/ecryptfs-setup-swap 2012-04-18 16:11:37 +0000
+++ src/utils/ecryptfs-setup-swap 2013-05-08 18:53:53 +0000
@@ -161,7 +161,7 @@
                [ -e "/dev/mapper/cryptswap$i" ] || break
        done
        # Add crypttab entry
- echo "cryptswap$i $swap /dev/urandom swap,cipher=aes-cbc-essiv:sha256" >> /etc/crypttab
+ echo "cryptswap$i UUID=$uuid /dev/urandom swap,cipher=aes-cbc-essiv:sha256" >> /etc/crypttab

        # Add fstab entry
        echo "/dev/mapper/cryptswap$i none swap sw 0 0" >> /etc/fstab

Committed revision 776.

Installed Saucy and have same issue

My understanding is that having a random key for the partition resets the UUID to something new on each boot. Making the only available fixes: randomly do without swap, use a password key for swap, or leave swap unencrypted.

This bug was fixed in the package ecryptfs-utils - 104-0ubuntu1

---------------
ecryptfs-utils (104-0ubuntu1) trusty; urgency=low

  [ Colin King ]
  * src/libecryptfs/ecryptfs-stat.c, tests/kernel/extend-file-
    random/test.c, tests/kernel/inode-race-stat/test.c,
    tests/kernel/trunc-file/test.c:
    - Fixed some 32 bit build warnings
  * src/libecryptfs/decision_graph.c, src/libecryptfs/key_management.c,
    src/libecryptfs/main.c, src/libecryptfs/module_mgr.c, src/utils/io.c,
    src/utils/mount.ecryptfs_private.c, tests/kernel/inotify/test.c,
    tests/kernel/trunc-file/test.c, tests/userspace/wrap-unwrap/test.c:
    - Fixed a pile of minor bugs (memory leaks, unclosed file descriptors,
      etc.) mostly in error paths
  * src/key_mod/ecryptfs_key_mod_passphrase.c, src/libecryptfs/main.c,
    src/pam_ecryptfs/pam_ecryptfs.c:
    - more Coverity fixes, memory leak, error checking, etc.

  [ Nobuto MURATA ]
  * fix an empty update-notifier window (LP: #1107650)
    - changes made in Rev.758 was incomplete

  [ Tyler Hicks ]
  * doc/manpage/ecryptfs.7:
    - adjust man page text to avoid confusion about whether the interactive
      mount helper takes a capital 'N' for the answer to y/n questions
      (LP: #1130460)
  * src/utils/ecryptfs_rewrap_passphrase.c:
    - Handle errors when interactively reading the new wrapping passphrase
      and the confirmation from stdin. Fixes a segfault (invalid memory read)
      in ecryptfs-rewrap-passphrase if there was an error while reading either
      of these passphrases.
  * configure.ac:
    - Set AM_CPPFLAGS to always include config.h as the first include file.
      Some .c files correctly included config.h before anything else. The
      majority of .c files got this wrong by including it after other header
      files, including it multiple times, or not including it at all.
      Including it in the AM_CPPFLAGS should solve these problems and keep
      future mistakes from happening in new source files.
    - Enable large file support (LFS) through the use of the AC_SYS_LARGEFILE
      autoconf macro. ecryptfs-utils has been well tested with LFS enabled
      because ecryptfs-utils is being built with
      '-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64' in Debian-based distros.
      This is mainly needed for some of the in-tree regression tests but
      ecryptfs-utils, in general, should be built with LFS enabled.
  * debian/rules:
    - Don't append '-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64' to the CFLAGS
      now that the upstream build enables LFS
  * tests/userspace/lfs.sh, tests/userspace/lfs/test.c:
    - Add a test to verify that LFS is enabled. This test is run under the
      make check target.
  * tests/kernel/enospc/test.c:
    - Fix test failures on 32 bit architectures due to large file sizes
      overflowing data types

  [ Dustin Kirkland ]
  * src/utils/ecryptfs-setup-swap: LP: #1172014
    - write crypttab entry using UUID
  * src/utils/ecryptfs-recover-private: LP: #1028532
    - error out, if we fail to mount the private data correctly

  [ Colin King and Dustin Kirkland ]
  * configure.ac, src/daemon/main.c, src/libecryptfs/cmd_ln_parser.c,
    src/libecryptfs/...

Using UUID in crypttab brought a regression, known as bug #1303002 and bug #1310058 (there may be more duplicates).