A complete guide to enable hibernation on Fedora 43 (Workstation) with UEFI and btrfs filesystem, including fixes for Secure Boot and SELinux issues.
Run these commands in sequence to enable hibernation:
# Calculate swap size (RAM-based formula)
SWAPSIZE=$(free | awk '/Mem/ {x=$2/1024/1024; printf "%.0fG", (x<2 ? 2*x : x<8 ? 1.5*x : x) }')
SWAPFILE=/var/swap/swapfile
# Create btrfs subvolume and swap file
sudo btrfs subvolume create /var/swap
sudo btrfs filesystem mkswapfile --size $SWAPSIZE --uuid clear $SWAPFILE
# Enable swap file
echo $SWAPFILE none swap defaults 0 0 | sudo tee --append /etc/fstab
sudo swapon --all --verbose
# Configure dracut for resume
echo 'add_dracutmodules+=" resume "' | sudo tee /etc/dracut.conf.d/resume.conf
sudo dracut --force --verbose
# Fix SELinux permissions (critical!)
sudo semanage fcontext --add --type swapfile_t $SWAPFILE
sudo restorecon -RF /var/swap
# Test hibernation
sudo systemctl hibernateVerify your system uses UEFI:
bootctlIf this prints "Not booted with EFI", this method won't work.
Important: Hibernation requires Secure Boot to be disabled in BIOS/UEFI settings.
With Secure Boot enabled, you'll get:
Call to Hibernate failed: Sleep verb 'hibernate' is not configured or configuration is not supported by kernel
To disable: Reboot → BIOS/UEFI settings (F2/F10/F12/Del) → Security/Boot menu → Disable Secure Boot → Save and exit.
Why? Kernel lockdown (enabled with Secure Boot) prevents hibernation to unencrypted swap for security reasons.
The command btrfs filesystem mkswapfile automatically:
- Disables copy-on-write (COW) for the swap file
- Creates the file with proper attributes
- Avoids the "swapfile must not be copy-on-write" error
Using standard mkswap will fail on btrfs without additional COW disabling steps.
The swap file is added to /etc/fstab for persistence across reboots and activated immediately. Verify with swapon --show - you should see both your swap file and the existing zram device.
The --verbose flag is important - without it, dracut appears to hang with no output for 2-5 minutes. It shows progress and confirms the command is working.
Critical step often missed! Without proper SELinux labeling, you'll get "Access denied" errors even when running as root. These commands tag the swap file with the swapfile_t type that SELinux expects.
# Verify swap is active
swapon --show
# Check security configuration
fwupdmgr security
# Verify SELinux context
ls -Z /var/swap/swapfileExpected fwupdmgr security output:
✔ UEFI secure boot: Disabled
✘ Linux kernel lockdown: Disabled (expected for hibernation)
✘ Linux swap: Invalid (unencrypted swap present)
Cause: Secure Boot is still enabled
Solution: Disable Secure Boot in BIOS/UEFI settings
Cause: SELinux policy not configured
Solution: Run the SELinux commands from the reference above and verify with ls -Z /var/swap/swapfile (should show swapfile_t)
Cause: No progress output by default (takes 2-5 minutes)
Solution: Use --verbose flag as shown in the command reference
Cause: Using standard mkswap instead of btrfs-specific command
Solution: Use btrfs filesystem mkswapfile as shown in the command reference
-
zram remains active: The existing zram swap device continues to work alongside the swap file. zram has higher priority for normal swap operations; the disk-based swap file is used primarily for hibernation.
-
Swap file location: The swap file is in
/var/swap/as a separate btrfs subvolume, isolating it from snapshots. -
Suspend vs Hibernate:
- Suspend: RAM stays powered, fast resume, drains battery slowly
- Hibernate: RAM saved to disk, complete power off, slower resume, no battery drain
- Suspend-then-hibernate:
systemctl suspend-then-hibernate(suspends first, hibernates after timeout)
On UEFI systems, hibernation uses a streamlined process:
- systemd stores swap file location in a UEFI variable
- System writes memory contents to swap file
- Machine powers off completely
- On boot, bootloader reads the UEFI variable
- Kernel resumes from swap file location
- Memory is restored and execution continues
This is simpler than legacy BIOS systems that required manual boot parameter configuration.
Based on: Fedora Magazine - Update on hibernation in Fedora Workstation
Additional references:
- Arch Wiki - Dracut Hibernation
- btrfs Wiki - Swap File Support
- Forum post by Ben (January 28, 2025) - SELinux configuration fix
Key improvements over original article:
- Uses
btrfs filesystem mkswapfileinstead of standardmkswap(avoids COW issues) - Includes SELinux configuration (prevents "Access denied" errors)
- Documents Secure Boot requirement (must be disabled)
- Uses
--verboseflag for dracut (shows progress) - Complete troubleshooting section
Tested on: Fedora 43 Workstation, UEFI boot, btrfs filesystem
Last updated: February 2026
This guide is provided as-is for the community. Feel free to share, modify, and improve.
Here a small addition, you can include this in your guide if you want to :) Feedback is much appreciated
Secure Boot & Hibernation
Hibernation fails with Secure Boot because Linux goes into "lock down" mode. To keep Secure Boot enabled but allow hibernation, you may need to disable validation:
Set a password, you'll only need to remember it once.
Reboot and press any key as soon as you see the MOK screen.
There choose
Change Secure Boot state.Enter your password's characters as prompted.
Choose
Yeswhen asked if you want to disable Secure Boot.Notice: Secure Boot can be kept enabled in your UEFI (BIOS)
Note: This effectively makes Secure Boot "permissive"—it stays On in UEFI (BIOS) but won't block kernel features like hibernation, I recommend following the TPM guide below to increase security a little bit again
Guide: Encrypted Swap Partition
1: Create the Partition
2: Format & Activation
Before the system can use the swap, you must "open" the encrypted container and format the space inside it.
3: Persistent Configuration
To make this permanent, you need to identify two different UUIDs. Run
lsblk -fand look for a structure like this:Identifying your UUIDs
/etc/crypttab:Use UUID_A (the raw partition) so the system knows which drive to decrypt.
/etc/fstab:Use the UUID to ensure the swap is mounted after decryption.
4: Bootloader & Initramfs
This tells the Linux kernel where to find the hibernation data during the boot process.
/etc/default/grub:Find
GRUB_CMDLINE_LINUXand append these two parameters:rd.luks.uuid=[UUID_A](Tells the kernel to unlock the drive)resume=UUID=[UUID_B](Tells the kernel where the hibernation image is)This rebuilds your boot image and includes the "resume" module.
Tip
Make sure to save everything before testing Hibernation, as I might not work the first time
5: TPM 2.0 Auto-Unlock (Recommended)
If you don't want to type two different passwords at boot (one for Root and one for Swap), you can use your computer's TPM chip to unlock the swap partition automatically. It is also recommend because you will be prompted for the password if someone tampers with your system, thus you know something fishy is going on
Tip
This is highly recommended for a seamless experience. You can find a detailed guide on using
systemd-cryptenrollfor TPM 2.0 here:https://github.com/mveplus/Fedora-Linux-TPM2-Backed-Full-Disk-Encryption-with-Secure-Boot
I recommend using
pcrs=0+1+5+7for the optimal balance between security and convenience, you might have to run the crypt enroll command again after the first reboot. More info to the pcrs here:https://fedoramagazine.org/automatically-decrypt-your-disk-using-tpm2/
https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/