[dm-crypt] luksSuspend for plain dm-crypt

dm-crypt at stachelkaktus.net dm-crypt at stachelkaktus.net
Tue Aug 29 14:42:30 CEST 2017


Hello Milan,

thanks a lot, that helps.

> it is quite easy with dmsetup, but unlike LUKS, there is not a way how
> you can check that reinstated key is correct (you can resume target with different
> key and cause severe data corruption - that's why we do not support it in cryptsetup).

Ok, I can understand that problem. I will fix it in my script with a
compare to SHA-256(key) that I will store on the ramdisk. Only if the
key matches the script will continue.

> Note that in future we will optionally support activation through kernel keyring,
> so you will put key there, not to dmsetup.

That sounds interesting, but I'm not sure if it will help. I try to kill
the erase the key before I suspend on ram so that cold boot attack don't
work here. If its in the kernel keyring It should be still possible to
find it in the memory. Or have I misread that keyring conzept?

-- 
cheers

wof


More information about the dm-crypt mailing list