From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mail.saout.de (Postfix) with ESMTP for ; Fri, 28 Aug 2009 08:04:21 +0200 (CEST) Message-ID: <4A977360.3030605@redhat.com> Date: Fri, 28 Aug 2009 08:04:16 +0200 From: Milan Broz MIME-Version: 1.0 References: <20090827224617.GA31760@nyx.b42.cz> In-Reply-To: <20090827224617.GA31760@nyx.b42.cz> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [dm-crypt] cryptsetup support for dm-crypt suspend/resume List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Martin Milata Cc: dm-crypt@saout.de Martin Milata wrote: > Would it be possible to have e.g. luksSuspend and luksResume commands in > cryptsetup, where luksSuspend would equal running "dmsetup suspend dev; > dmsetup message dev 0 key wipe" (i.e. not really dependent on luks) and > luksResume would get the password from user, decrypt the key in header > and do equivalent of "dmsetup message dev 0 key set key; dmsetup resume > dev"; and use luksSuspend before suspend-to-ram and luksResume after the > wakeup? Yes, I plan to add this, you can track this issue here http://code.google.com/p/cryptsetup/issues/detail?id=3 > Does such a feature make sense or wouldn't it increase security of the > partition in question at all? Depends on situation, after key wipe there should be no volume key in memory but memory still can contain unencrypted data... > If it's not total nonsense and none of the developers would like to > implement it himself, I'm willing to try to write a patch for > cryptsetup. It should be easy to implement but my priority is now prepare new libcryptsetup api (will appear in svn soon) and implementation of these new features will follow - over this new api. Old api remains in its current state without new features added - just to retain compatibility, so implementing anything new using it is waste of time for now:-) Milan -- mbroz@redhat.com