On 08/29/2017 11:37 AM, dm-crypt@xxxxxxxxxxxxxxxxx wrote: > I'd like to emulate the functionality of luksSuspend for a plain > dm-crypt device. I've got lost in the device mapper functions and it > would be great if somebody can give me a hand. Hi, it is quite easy with dmsetup, but unlike LUKS, there is not a way how you can check that reinstated key is correct (you can resume target with different key and cause severe data corruption - that's why we do not support it in cryptsetup). So, if you want to suspend plan dm-crypt device with name "test" - You need volume key, you can get it from kernel for active device # dmsetup table test --showkeys | cut -d' ' -f 5 - Suspend and wipe key is two-step process now: # dmsetup suspend test # dmsetup message test 0 key wipe Now you have suspended device with key(s) wiped from memory (like luksSuspend). Reinstating the key can be done in reverse: # dmsetup message test 0 key set <volume key in hex format from command above> # dmsetup resume test (This is equivalent of luksResume.) The message command is not accepted if the device is not suspended. (Suspended means that all IO operations are queued - beware suspending device you run command from, it will cause deadlock!) Note that in future we will optionally support activation through kernel keyring, so you will put key there, not to dmsetup. Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
