14

Normally I don't shutdown my notebook any more in favour of using suspend-to-RAM. The downside is that my encrypted home partition is completely accessible after resume without entering the passphrase. A bad idea if someome steals your notebook...

Looking at cryptsetup's manpage. I've learned that LUKS now supports the luksSuspend and luksResume command. Has luksSuspend and luksResume been integrated in the scripts doing suspend-to-RAM and resume?

Peter Mortensen
  • 884
Stefan Armbruster
  • 620

3 Answers3

5

Current problem

When using Ubuntu Full Disk Encryption(that is based on dm-crypt with LUKS) to set up full system encryption, the encryption key is kept in memory when suspending the system. This drawback defeats the purpose of encryption if you carry around your suspended laptop a lot. One can use the cryptsetup luksSuspend command to freeze all I/O and flush the key from memory.

Solution

ubuntu-luks-suspend is an attempt to change the default suspend mechanism. The basic idea is to change to a chroot outside of the encrypted root fs and then lock it (withcryptsetup luksSuspend)

Community
  • 1
Prinz
  • 611
4

here is another example of ubuntu 14.04 cryptsetup luks suspend/resume root partition "almost works" :-)

one reason it works for arch and "almost works" for ubuntu could be that ubuntu kernel as of 

  Linux system 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

is still "too old": the following patch is not there yet:

make sync() on suspend-to-RAM optional

so any pm-utils or user code that issues any form of clear keys & sleep request, such as:

  cryptsetup luksSuspend root
  echo -n "mem" >/sys/power/state

will result in kernel in a call to sys_sync() which in turn causes a deadlock in dm-crypt (by design, after luks suspend)

Andrei Pozolotin
  • 141
-3

Actually, you just need to ensure that your screensaver passphrase is required on resume from suspend, and you'll be safe.

This will ensure that someone resuming your laptop from suspend will have to enter a password before they can get into the computer.

enter image description here

Dustin Kirkland
  • 14,608
  • 2
    and this really uses luksSuspend / luksResume ? – Stefan Armbruster Feb 19 '12 at 20:33
  • 2
    No, it ensures that someone resuming your laptop is required to enter a password on resume. That's essential if you've gone to the length of encrypted your data. – Dustin Kirkland Feb 19 '12 at 21:57
  • 6
    Er, this is not enough... it's just a screensaver password. It should suspend fully so that you're required to enter your LUKS password again before returning to the GUI – BenAlabaster Oct 13 '13 at 03:14
  • 2
    Exactly. The decryption key for LUKS will still be in RAM unless luksSuspend/luksResume is used. Is there a way to do this with Ubuntu? – jzila Apr 10 '14 at 23:43
  • 1
    If this was enough,this question would not exist. Yes, this will protect your data in 99% of realistic life scenarios, but as noted above, the password is still cached in the RAM during suspend, even if password protect on resume is enabled. A tech-savy foe (such as the N.S.A.) would be able perform a 'cold boot attack' and recover the passphrase, then decrypt all your data. – Chev_603 Mar 11 '15 at 19:10
  • This misses the point. With the machine hibernated, someone could still take the disk out, read the ram dump, and access the password to Luks, from the memory. Only calling luksSuspend before hibernate, will clear that password from memory (and require the user to re-enter on resume). – sibaz Sep 18 '15 at 10:37