Suspend to RAM and encrypted partitions

ecryptfs luks encryption suspend
5,610

Solution 1

Current problem

When using Ubuntu Full Disk Encryption(that is based on dm-crypt with LUKS) to set up full system encryption, the encryption key is kept in memory when suspending the system. This drawback defeats the purpose of encryption if you carry around your suspended laptop a lot. One can use the cryptsetup luksSuspend command to freeze all I/O and flush the key from memory.

Solution

ubuntu-luks-suspend is an attempt to change the default suspend mechanism. The basic idea is to change to a chroot outside of the encrypted root fs and then lock it (withcryptsetup luksSuspend)

Solution 2

here is another example of ubuntu 14.04 cryptsetup luks suspend/resume root partition "almost works" :-)

one reason it works for arch and "almost works" for ubuntu could be that ubuntu kernel as of 

  Linux system 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

is still "too old": the following patch is not there yet:

make sync() on suspend-to-RAM optional

so any pm-utils or user code that issues any form of clear keys & sleep request, such as:

  cryptsetup luksSuspend root
  echo -n "mem" >/sys/power/state

will result in kernel in a call to sys_sync() which in turn causes a deadlock in dm-crypt (by design, after luks suspend)

Share:
5,610

Related videos on Youtube

Stefan Armbruster
Author by

Stefan Armbruster

Updated on September 18, 2022

Comments

  • Stefan Armbruster
    Stefan Armbruster over 1 year

    Normally I don't shutdown my notebook any more in favour of using suspend-to-RAM. The downside is that my encrypted home partition is completely accessible after resume without entering the passphrase. A bad idea if someome steals your notebook...

    Looking at cryptsetup's manpage. I've learned that LUKS now supports the luksSuspend and luksResume command. Has luksSuspend and luksResume been integrated in the scripts doing suspend-to-RAM and resume?

    • Lekensteyn
      Lekensteyn about 12 years
      Related LP bug. Locking the screen is an easy method to protect against the "regular" people. It does not protect you from people who know your password (or can guess it), abuse a bug to gain access to a session or read the passwords from memory
  • Stefan Armbruster
    Stefan Armbruster about 12 years
    and this really uses luksSuspend / luksResume ?
  • Dustin Kirkland
    Dustin Kirkland about 12 years
    No, it ensures that someone resuming your laptop is required to enter a password on resume. That's essential if you've gone to the length of encrypted your data.
  • BenAlabaster
    BenAlabaster over 10 years
    Er, this is not enough... it's just a screensaver password. It should suspend fully so that you're required to enter your LUKS password again before returning to the GUI
  • jzila
    jzila about 10 years
    Exactly. The decryption key for LUKS will still be in RAM unless luksSuspend/luksResume is used. Is there a way to do this with Ubuntu?
  • Christian
    Christian almost 10 years
    This attempt (not functional yet) is discussed on the related question How do I enable Ubuntu to suspend the machine using LUKSsuspend during sleep/hibernate.
  • Chev_603
    Chev_603 about 9 years
    If this was enough,this question would not exist. Yes, this will protect your data in 99% of realistic life scenarios, but as noted above, the password is still cached in the RAM during suspend, even if password protect on resume is enabled. A tech-savy foe (such as the N.S.A.) would be able perform a 'cold boot attack' and recover the passphrase, then decrypt all your data.
  • sibaz
    sibaz over 8 years
    This misses the point. With the machine hibernated, someone could still take the disk out, read the ram dump, and access the password to Luks, from the memory. Only calling luksSuspend before hibernate, will clear that password from memory (and require the user to re-enter on resume).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Ecrypfts to LUKS on ext4 partition
How do I enable Ubuntu (using full disk encryption) to call LUKSsupend before sleeping/suspending to RAM?
How to remove LUKS encryption?
"No key available with this passphrase" with a newly-created DM-CRYPT / LUKS partition
How do I move/home folder to a luks encrypted external drive?
Won't boot (drop to busybox) after kernel upgrade (with encrypted disks)
"Guided - use entire disk and set up encrypted LVM" LUKS or plain dm-crypt?
How to recover ecryptfs encrypted data using password after a broken upgrade?
Dual Ubuntu Installations with Whole Disk Encryption
How do I get Grub2 to boot a Truecrypt-encrypted MBR?