# LUKS ask for passphrase after waking up from sleep

## luckylinux

Until now I always encrypted my whole / (with a separated unencrypted /boot) partition, however since I almost always put my computer to sleep instead of turning it off, encryption seems to be uneffective.

The reason for this is that if someone steals my PC and doesn't reboot it (or the battery dies), they will have access to all of my data - if they manage to login on the computer (which IMHO can be prevented by something like grsecurity or putting a maximum # of login attemps before locking the system - or rebooting it) - they would be able to see all of my data and settings.

I see now there is an alternative that may be able to solve this problem but would require a few additionnal configuration (editing the init scripts, ...): "luksSuspend" / "luksResume". I would therefore need to leave unencrypted the following directories:

 /boot (expecially if using GPT)

 /

 /sbin (for cryptsetup)

I don't know if other directories should also left unencrypted. Since all init scripts are in /etc/rc.d, maybe they should as well be left unencrypted but that's a BIG security risk (/etc usually contains all networking passwords like VPN's, maybe other devices' encryption keys, ...). Not sure if a random-key encrypted swap would pose a problem (probably it does).

Did anyone of you try to implement luksSuspend / luksResume? How did you do that?

Or are there others alternatives?

Remark: I'm looking to implement suspend to ram (also known as "sleep" / "standby mode" / "suspend") with encryption support. I'm NOT looking to implement suspend to disk (also known as "hibernate"). Since almost all of my PCs run on SSDs swap would be nonsense. For a desktop I may as well put a HDD  dedicated for swap, but with 16GB+ RAM I don't think I'll ever need it (but who knows   :Confused:  ).

Edit: I'd also like to be able to mount my encrypted partition(s) over SSH (using the Dropbear trick into the initramfs image)

----------

## rufnut

 *Quote:*   

> Remark: I'm looking to implement suspend to ram (also known as "sleep" / "standby mode" / "suspend") with encryption support. I'm NOT looking to implement suspend to disk (also known as "hibernate"). Since almost all of my PCs run on SSDs swap would be nonsense. For a desktop I may as well put a HDD dedicated for swap, but with 16GB+ RAM I don't think I'll ever need it (but who knows  ).
> 
> 

 

Hi, I don't run SSD but if I did, I would still hibernate.

```
 free

             total       used       free     shared    buffers     cached

Mem:      16362728    5217692   11145036          0     135720    3418856

-/+ buffers/cache:    1663116   14699612

Swap:     10485756          0   10485756

```

I don't think my 10GB swap gets used for much anyway.

Otherwise maybe you could look at Tresor.

I was suspending before with a similar setup to you but just adding:

```
real_resume=/dev/whatever/swap resume=/dev/whatever/swap 
```

the above was enough to make it work once I resized my swap in the encrypted lvm container.

 *Quote:*   

> 
> 
> Edit: I'd also like to be able to mount my encrypted partition(s) over SSH (using the Dropbear trick into the initramfs image)

 

This has also been done but has a minor vulnerability.

I don't know much about this subject but it seems to just work for me.

(never thought I would say that about linux and its abilities let alone encryption.)

 :Smile: 

----------

## tholin

I also had the same idea and found these two guides for arch linux.

http://waaaaargh.github.io/gnu&linux/2013/08/06/lukssuspend-with-encrypted-root-on-archlinux/

https://github.com/vianney/arch-luks-suspend

They both use the same principle and can easily be modified for gentoo. A chroot is created outside of the root fs. LuksSuspend and then suspend are called from there. Unfortunately there are some problems with this solution.

Data on disk exists on disk but also in ram disk cache. Even if an attacker can't gain access to the disk he can still read all recently accessed files from ram. Using /proc/sys/vm/drop_caches is useless because the data is not overwritten. Something like sdmem would have to be used to overwrite ram but even so application might have sensitive data mapped into their address space. I see no way around that problem without using hibernate instead.

The guides just calls luksSuspend without freezing the userspace processes first. I guess some apps will get impatient when they don't get data right away and start throwing error messages. Part of the script interpreter in the chroot might get swapped out which is bad if luksSuspend is used on a swap device. Swap could be turned off but that usually takes a while to complete and the OOM killer might activate.

Is there any way to securely use suspend to ram and disk encryption? Encrypting all ram before suspend is not possible is it?

----------

## frostschutz

Oh well, that's interesting. Personally I still trust xautolock and root shells time out automatically, so I usually don't have any forgotten ones left open anywhere.

Would it really be that simple... will the open running processes be content to wait indefinitely for until years later I finally enter my passphrase again? Wow.

I'd have to duplicate my Initramfs for this as my setup involves several containers and keyfiles. Not sure if it's worth the bother really.

In case of a laptop, having to re-enter my passphrase all the time in all sorts of places is a security risk also, and probably the greater one (considering the total surveillance situation, i.e. people with smartphones everywhere).

----------

