Suspend to RAM and encrypted partitions
Solution 1
Current problem
When using Ubuntu Full Disk Encryption(that is based on dm-crypt with LUKS) to set up full system encryption, the encryption key is kept in memory when suspending the system. This drawback defeats the purpose of encryption if you carry around your suspended laptop a lot. One can use the cryptsetup luksSuspend command to freeze all I/O and flush the key from memory.
Solution
ubuntu-luks-suspend is an attempt to change the default suspend mechanism. The basic idea is to change to a chroot outside of the encrypted root fs and then lock it (withcryptsetup luksSuspend)
Solution 2
here is another example of ubuntu 14.04 cryptsetup luks suspend/resume root partition "almost works" :-)
one reason it works for arch and "almost works" for ubuntu could be that ubuntu kernel as of
Linux system 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
is still "too old": the following patch is not there yet:
make sync() on suspend-to-RAM optional
so any pm-utils
or user code
that issues any form of
clear keys & sleep request, such as:
cryptsetup luksSuspend root
echo -n "mem" >/sys/power/state
will result in kernel in a call to sys_sync()
which in turn causes a deadlock in dm-crypt
(by design, after luks suspend)
Related videos on Youtube
Stefan Armbruster
Updated on September 18, 2022Comments
-
Stefan Armbruster over 1 year
Normally I don't shutdown my notebook any more in favour of using suspend-to-RAM. The downside is that my encrypted home partition is completely accessible after resume without entering the passphrase. A bad idea if someome steals your notebook...
Looking at cryptsetup's manpage. I've learned that LUKS now supports the
luksSuspend
andluksResume
command. HasluksSuspend
andluksResume
been integrated in the scripts doing suspend-to-RAM and resume?-
Lekensteyn about 12 yearsRelated LP bug. Locking the screen is an easy method to protect against the "regular" people. It does not protect you from people who know your password (or can guess it), abuse a bug to gain access to a session or read the passwords from memory
-
-
Stefan Armbruster about 12 yearsand this really uses luksSuspend / luksResume ?
-
Dustin Kirkland about 12 yearsNo, it ensures that someone resuming your laptop is required to enter a password on resume. That's essential if you've gone to the length of encrypted your data.
-
BenAlabaster over 10 yearsEr, this is not enough... it's just a screensaver password. It should suspend fully so that you're required to enter your LUKS password again before returning to the GUI
-
jzila about 10 yearsExactly. The decryption key for LUKS will still be in RAM unless luksSuspend/luksResume is used. Is there a way to do this with Ubuntu?
-
Christian almost 10 yearsThis attempt (not functional yet) is discussed on the related question How do I enable Ubuntu to suspend the machine using LUKSsuspend during sleep/hibernate.
-
Chev_603 about 9 yearsIf this was enough,this question would not exist. Yes, this will protect your data in 99% of realistic life scenarios, but as noted above, the password is still cached in the RAM during suspend, even if password protect on resume is enabled. A tech-savy foe (such as the N.S.A.) would be able perform a 'cold boot attack' and recover the passphrase, then decrypt all your data.
-
sibaz over 8 yearsThis misses the point. With the machine hibernated, someone could still take the disk out, read the ram dump, and access the password to Luks, from the memory. Only calling luksSuspend before hibernate, will clear that password from memory (and require the user to re-enter on resume).