[dm-crypt] luksSuspend for plain dm-crypt

Milan Broz gmazyland at gmail.com
Tue Aug 29 12:19:27 CEST 2017


On 08/29/2017 11:37 AM, dm-crypt at stachelkaktus.net wrote:
> I'd like to emulate the functionality of luksSuspend for a plain
> dm-crypt device. I've got lost in the device mapper functions and it
> would be great if somebody can give me a hand.
Hi,

it is quite easy with dmsetup, but unlike LUKS, there is not a way how
you can check that reinstated key is correct (you can resume target with different
key and cause severe data corruption - that's why we do not support it in cryptsetup).

So, if you want to suspend plan dm-crypt device with name "test"

- You need volume key, you can get it from kernel for active device
# dmsetup table test --showkeys | cut -d' ' -f 5

- Suspend and wipe key is two-step process now:

# dmsetup suspend test
# dmsetup message test 0 key wipe

Now you have suspended device with key(s) wiped from memory (like luksSuspend).

Reinstating the key can be done in reverse:

# dmsetup message test 0 key set <volume key in hex format from command above>
# dmsetup resume test

(This is equivalent of luksResume.)

The message command is not accepted if the device is not suspended.
(Suspended means that all IO operations are queued - beware suspending device
you run command from, it will cause deadlock!)

Note that in future we will optionally support activation through kernel keyring,
so you will put key there, not to dmsetup.

Milan


More information about the dm-crypt mailing list