On Fri, Aug 28, 2009 at 15:53:35 +0200, Arno Wagner wrote: > On Fri, Aug 28, 2009 at 11:46:17AM +0200, Martin Milata wrote: > > On Fri, Aug 28, 2009 at 07:21:36 +0200, Arno Wagner wrote: > > > Makes sense and increases security. I am wondering however whether > > > this could just be scripted by > > > 1) Store all parameters besides key in some file > > > 2) Completely remove and umount the device before suspend. > > > 3) An resume: Use a wraper around dm-crypt that gets the parameters > > > from the file, asks for the password and initializes and mounts > > > the device just as if it was newly created. > > > > If I understand it correctly, this would require unmounting the > > partition (and thus killing all programs using it), which I would like > > to avoid. And cached contents of the filesystem would probably remain in > > RAM anyway. > > I am not sure you even can remove the mapping (and hence > the encryption) without umounting. If you can, that would > be better, obviously but then you likely have to do that > with specialised code. I'm sorry, my original post is probably too confusing. I used the words "suspend" and "resume" in two different meanings which was probably not very clear. Besides the obvious meaning (suspend/resume computer to/from ram), I also meant suspend/resume commands of device-mapper which are (i guess) completely independent of suspending computer to ram. Their descriptions can be found on dmsetup manual page. Using these commands, it should be possible to temporarily throw out the encryption key without unmounting the filesystem or removing the mapping. That would require support in cryptsetup, though. Sorry for not making myself clear. Regards, MM
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt