[dm-crypt] Dmcrypt and hibernate key disclosure
heiko.rosemann at web.de
Fri Jan 7 11:42:32 CET 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 01/07/11 05:08, Bryan Kadzban wrote:
> Arno Wagner wrote:
>> The other option would be to modify the resume process to
>> ask you for the passphrase to the swap partition. I don't
>> know whether that is possible.
> In an initramfs, I bet it is, though I've never tried it. Resuming from
> hibernate is handled by writing the major:minor of the block device to
> resume from into the /sys/power/resume file, and I would *guess* that
> the device node can be a device-mapper child (such as dm-crypt or LVM
> would create).
I do not know about the details like what needs to be copied in which
stage, but I can confirm that this works with tuxonice: Add to your
initramfs a call to cryptsetup luksOpen enc-swap before initiating the
resume process from /dev/mapper/enc-swap. I know this because this is
the setup I have been using for the last couple of years :)
> Of course, whether any given distro's initramfs setup can actually do
> this (assuming it's possible in the kernel) is a different story. :-)
I have recently tried out archlinux and it is pretty easy to add such a
hook there. They also support udev inside their initramfs, so using a
keyfile on a specific USB device to unlock your swap is also quite easy.
(Using gentoo, I have been running into a lot of trouble with
compatibility issues between udev and busybox-modprobe - used in my
initramfs - lately)
It is also no big deal if you just unlock *all* encrypted partitions
before initiating the resume process, but it does not need to be done.
>> It seems to me that there
>> is actually no software hook or script thet gets executed
>> during resume,
> From hibernate, there is. It's a normal bootup, including initramfs,
> until some string gets written into /sys/power/resume. There might be
> restrictions on when this write can happen, but I'm sure they at least
> allow some initramfs code to run.
Well, most of my initramfs runs before initiating resume :)
eMails verschlüsseln mit PGP - privacy is your right!
Mein PGP-Key zur Verifizierung: http://pgp.mit.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the dm-crypt