Hello. I'm using dm-crypt to encrypt both my root and home partitions on my laptop. However, I use suspend-to-ram and rarely turn the computer off. I was wondering whether it would be possible to somehow tell dm-crypt to temporarily discard the encryption key and block all reads/writes until the key is provided again. This way, if i discarded the key to my /home before suspend-to-ram, the potential thief wouldn't be able to get anything else than what is cached in the ram (or at least, easily). Turns out device-mapper already has commands for blocking all i/o and resuming it again (dmsetup suspend, dmsetup resume) and that dm-crypt driver makes it possible to wipe/re-set the key while suspended. Only thing that's missing is userspace tool that could do this (or i just wasn't able to find one). Would it be possible to have e.g. luksSuspend and luksResume commands in cryptsetup, where luksSuspend would equal running "dmsetup suspend dev; dmsetup message dev 0 key wipe" (i.e. not really dependent on luks) and luksResume would get the password from user, decrypt the key in header and do equivalent of "dmsetup message dev 0 key set key; dmsetup resume dev"; and use luksSuspend before suspend-to-ram and luksResume after the wakeup? Does such a feature make sense or wouldn't it increase security of the partition in question at all? If it's not total nonsense and none of the developers would like to implement it himself, I'm willing to try to write a patch for cryptsetup. Thanks, -MM
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
