Re: cryptsetup support for dm-crypt suspend/resume

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Seems I am making a habit f accidentially responding directly...

Arno

On Fri, Aug 28, 2009 at 07:21:36AM +0200, Arno Wagner wrote:
> On Fri, Aug 28, 2009 at 12:46:17AM +0200, Martin Milata wrote:
> > Hello.
> > 
> > I'm using dm-crypt to encrypt both my root and home partitions on my
> > laptop. However, I use suspend-to-ram and rarely turn the computer off.
> > 
> > I was wondering whether it would be possible to somehow tell dm-crypt to
> > temporarily discard the encryption key and block all reads/writes until
> > the key is provided again. This way, if i discarded the key to my /home
> > before suspend-to-ram, the potential thief wouldn't be able to get
> > anything else than what is cached in the ram (or at least, easily).
> > 
> > Turns out device-mapper already has commands for blocking all i/o and
> > resuming it again (dmsetup suspend, dmsetup resume) and that dm-crypt
> > driver makes it possible to wipe/re-set the key while suspended. Only
> > thing that's missing is userspace tool that could do this (or i just
> > wasn't able to find one).
> > 
> > Would it be possible to have e.g. luksSuspend and luksResume commands in
> > cryptsetup, where luksSuspend would equal running "dmsetup suspend dev;
> > dmsetup message dev 0 key wipe" (i.e. not really dependent on luks) and
> > luksResume would get the password from user, decrypt the key in header
> > and do equivalent of "dmsetup message dev 0 key set key; dmsetup resume
> > dev"; and use luksSuspend before suspend-to-ram and luksResume after the
> > wakeup?
> > 
> > Does such a feature make sense or wouldn't it increase security of the
> > partition in question at all?
> 
> Makes sense and increases security. I am wondering however whether
> this could just be scripted by
> 1) Store all parameters besides key in some file
> 2) Completely remove and umount the device before suspend.
> 3) An resume: Use a wraper around dm-crypt that gets the parameters 
>    from the file, asks for the password and initializes and mounts 
>    the device just as if it was newly created.
> 
> Arno
>  
> > If it's not total nonsense and none of the developers would like to
> > implement it himself, I'm willing to try to write a patch for
> > cryptsetup.
> > 
> > Thanks,
> > -MM
> 
> 
> 
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt@xxxxxxxx
> > http://www.saout.de/mailman/listinfo/dm-crypt
> 
> 
> -- 
> Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx 
> GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
> ----
> Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
> 
> If it's in the news, don't worry about it.  The very definition of 
> "news" is "something that hardly ever happens." -- Bruce Schneier 

-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier 
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt

[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux