Seems I am making a habit f accidentially responding directly... Arno On Fri, Aug 28, 2009 at 07:21:36AM +0200, Arno Wagner wrote: > On Fri, Aug 28, 2009 at 12:46:17AM +0200, Martin Milata wrote: > > Hello. > > > > I'm using dm-crypt to encrypt both my root and home partitions on my > > laptop. However, I use suspend-to-ram and rarely turn the computer off. > > > > I was wondering whether it would be possible to somehow tell dm-crypt to > > temporarily discard the encryption key and block all reads/writes until > > the key is provided again. This way, if i discarded the key to my /home > > before suspend-to-ram, the potential thief wouldn't be able to get > > anything else than what is cached in the ram (or at least, easily). > > > > Turns out device-mapper already has commands for blocking all i/o and > > resuming it again (dmsetup suspend, dmsetup resume) and that dm-crypt > > driver makes it possible to wipe/re-set the key while suspended. Only > > thing that's missing is userspace tool that could do this (or i just > > wasn't able to find one). > > > > Would it be possible to have e.g. luksSuspend and luksResume commands in > > cryptsetup, where luksSuspend would equal running "dmsetup suspend dev; > > dmsetup message dev 0 key wipe" (i.e. not really dependent on luks) and > > luksResume would get the password from user, decrypt the key in header > > and do equivalent of "dmsetup message dev 0 key set key; dmsetup resume > > dev"; and use luksSuspend before suspend-to-ram and luksResume after the > > wakeup? > > > > Does such a feature make sense or wouldn't it increase security of the > > partition in question at all? > > Makes sense and increases security. I am wondering however whether > this could just be scripted by > 1) Store all parameters besides key in some file > 2) Completely remove and umount the device before suspend. > 3) An resume: Use a wraper around dm-crypt that gets the parameters > from the file, asks for the password and initializes and mounts > the device just as if it was newly created. > > Arno > > > If it's not total nonsense and none of the developers would like to > > implement it himself, I'm willing to try to write a patch for > > cryptsetup. > > > > Thanks, > > -MM > > > > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@xxxxxxxx > > http://www.saout.de/mailman/listinfo/dm-crypt > > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx > GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F > ---- > Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans > > If it's in the news, don't worry about it. The very definition of > "news" is "something that hardly ever happens." -- Bruce Schneier -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt