On Sat, 2020-09-19 at 23:17 +0000, procmem@xxxxxxxxxx wrote: > Hi. There is a new cryptsetup feature that is supposed to protect > user data while the PC is in standby. It wipes the key from RAM when > sleep events are triggered. While it protects LUKS, other data and > keys loaded in RAM at the time are still vulnerable to forensic > recovery. Can you please consider adding a sleep key cache wipe > feature to OpemSSH? It already exists: ssh-add -D you just have to plumb it in to the suspend hooks. It's also not really the big problem: most people have gnome-keyring/kde-wallet manage these keys. Nowadays it runs ssh-agent under the covers and adds the keys from the config files based on the passwords in the login keyring, so you'd have to lock the login keyring as well on suspend and unlock it on resume ... probably by hooking the screensaver password in to it somehow and then have it re-populate ssh-agent. That's a lot of highly distro specific plumbing. James _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev