From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from tansi.org (ns.km10532-04.keymachine.de [87.118.102.195]) by mail.saout.de (Postfix) with ESMTP for ; Fri, 28 Aug 2009 08:13:35 +0200 (CEST) Received: from gatewagner.dyndns.org (84-74-165-216.dclient.hispeed.ch [84.74.165.216]) by tansi.org (Postfix) with ESMTP id 42132243062A for ; Fri, 28 Aug 2009 08:13:38 +0200 (CEST) Date: Fri, 28 Aug 2009 08:13:35 +0200 From: Arno Wagner Message-ID: <20090828061335.GA8608@tansi.org> References: <20090827224617.GA31760@nyx.b42.cz> <20090828052136.GA8035@tansi.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090828052136.GA8035@tansi.org> Subject: Re: [dm-crypt] cryptsetup support for dm-crypt suspend/resume List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Seems I am making a habit f accidentially responding directly... Arno On Fri, Aug 28, 2009 at 07:21:36AM +0200, Arno Wagner wrote: > On Fri, Aug 28, 2009 at 12:46:17AM +0200, Martin Milata wrote: > > Hello. > > > > I'm using dm-crypt to encrypt both my root and home partitions on my > > laptop. However, I use suspend-to-ram and rarely turn the computer off. > > > > I was wondering whether it would be possible to somehow tell dm-crypt to > > temporarily discard the encryption key and block all reads/writes until > > the key is provided again. This way, if i discarded the key to my /home > > before suspend-to-ram, the potential thief wouldn't be able to get > > anything else than what is cached in the ram (or at least, easily). > > > > Turns out device-mapper already has commands for blocking all i/o and > > resuming it again (dmsetup suspend, dmsetup resume) and that dm-crypt > > driver makes it possible to wipe/re-set the key while suspended. Only > > thing that's missing is userspace tool that could do this (or i just > > wasn't able to find one). > > > > Would it be possible to have e.g. luksSuspend and luksResume commands in > > cryptsetup, where luksSuspend would equal running "dmsetup suspend dev; > > dmsetup message dev 0 key wipe" (i.e. not really dependent on luks) and > > luksResume would get the password from user, decrypt the key in header > > and do equivalent of "dmsetup message dev 0 key set key; dmsetup resume > > dev"; and use luksSuspend before suspend-to-ram and luksResume after the > > wakeup? > > > > Does such a feature make sense or wouldn't it increase security of the > > partition in question at all? > > Makes sense and increases security. I am wondering however whether > this could just be scripted by > 1) Store all parameters besides key in some file > 2) Completely remove and umount the device before suspend. > 3) An resume: Use a wraper around dm-crypt that gets the parameters > from the file, asks for the password and initializes and mounts > the device just as if it was newly created. > > Arno > > > If it's not total nonsense and none of the developers would like to > > implement it himself, I'm willing to try to write a patch for > > cryptsetup. > > > > Thanks, > > -MM > > > > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@saout.de > > http://www.saout.de/mailman/listinfo/dm-crypt > > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name > GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F > ---- > Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans > > If it's in the news, don't worry about it. The very definition of > "news" is "something that hardly ever happens." -- Bruce Schneier -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier