Since Linux 6.9 (May 2024), the LUKS encryption key remained resident in memory across suspend
14 points by PuercoPop
14 points by PuercoPop
This is specifically talking about the luksSuspend hook, which can be called before the system goes to sleep (suspends), to lock the drive whilst still keeping all other state in RAM.
Confused me a bit, because I expected the behavior to be that the LUKS key remains in RAM while a system sleeping. Admittedly I usually power down my laptop completely between uses, so I've never looked into this
Is this default behavior? Because I would assume you'd need to re-enter the key after resuming from suspend
The point here is that despite the fact that luksSuspend thought it cleared it, and as far as it's concerned you do have to re-enter the key, a copy of the key is still present elsewhere in memory.
Whether the default is to use luksSuspend, and thus require the key on wakeup, is distro-dependent. I think Debian might be the only one?