From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from fmmailgate01.web.de (fmmailgate01.web.de [217.72.192.221]) by mail.saout.de (Postfix) with ESMTP for ; Fri, 7 Jan 2011 11:42:36 +0100 (CET) Received: from smtp01.web.de ( [172.20.0.243]) by fmmailgate01.web.de (Postfix) with ESMTP id 964F4184DDAEE for ; Fri, 7 Jan 2011 11:42:36 +0100 (CET) Received: from [88.130.198.246] (helo=[192.168.123.202]) by smtp01.web.de with asmtp (TLSv1:AES256-SHA:256) (WEB.DE 4.110 #24) id 1Pb9mG-0005p6-00 for dm-crypt@saout.de; Fri, 07 Jan 2011 11:42:36 +0100 Message-ID: <4D26EE18.9000105@web.de> Date: Fri, 07 Jan 2011 11:42:32 +0100 From: Heiko Rosemann MIME-Version: 1.0 References: <4D266EF9.6090904@gmail.com> <20110107024910.GA2456@tansi.org> <4D2691D7.6020604@kdzbn.homelinux.net> In-Reply-To: <4D2691D7.6020604@kdzbn.homelinux.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Sender: heiko.rosemann@web.de Subject: Re: [dm-crypt] Dmcrypt and hibernate key disclosure List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/07/11 05:08, Bryan Kadzban wrote: > Arno Wagner wrote: >> The other option would be to modify the resume process to >> ask you for the passphrase to the swap partition. I don't=20 >> know whether that is possible. >=20 > In an initramfs, I bet it is, though I've never tried it. Resuming fro= m > hibernate is handled by writing the major:minor of the block device to > resume from into the /sys/power/resume file, and I would *guess* that > the device node can be a device-mapper child (such as dm-crypt or LVM > would create). I do not know about the details like what needs to be copied in which stage, but I can confirm that this works with tuxonice: Add to your initramfs a call to cryptsetup luksOpen enc-swap before initiating the resume process from /dev/mapper/enc-swap. I know this because this is the setup I have been using for the last couple of years :) > Of course, whether any given distro's initramfs setup can actually do > this (assuming it's possible in the kernel) is a different story. :-) I have recently tried out archlinux and it is pretty easy to add such a hook there. They also support udev inside their initramfs, so using a keyfile on a specific USB device to unlock your swap is also quite easy. (Using gentoo, I have been running into a lot of trouble with compatibility issues between udev and busybox-modprobe - used in my initramfs - lately) It is also no big deal if you just unlock *all* encrypted partitions before initiating the resume process, but it does not need to be done. >> It seems to me that there >> is actually no software hook or script thet gets executed >> during resume, > > From hibernate, there is. It's a normal bootup, including initramfs, > until some string gets written into /sys/power/resume. There might be > restrictions on when this write can happen, but I'm sure they at least > allow some initramfs code to run. Well, most of my initramfs runs before initiating resume :) Regards, Heiko - --=20 eMails verschl=FCsseln mit PGP - privacy is your right! Mein PGP-Key zur Verifizierung: http://pgp.mit.edu -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk0m7hgACgkQ/Vb5NagElAW3CQCcCxtTN/UmI5XAYZfLaRqBv7QV adIAn3U2NysZEES9ZlIzr4AvG9I9NUB5 =3DcHRj -----END PGP SIGNATURE-----