Since Linux 6.9, LUKS suspend stopped wiping disk-encryption keys from memory
- Security
- Linux
- Infrastructure
- Open Source
The post traced a regression introduced in Linux 6.9 that broke a security assumption behind `cryptsetup luksSuspend`, an optional feature used by Debian and ported elsewhere to wipe the LUKS volume key from memory during suspend and require a passphrase again on resume. From the user’s point of view, everything still looked correct. The machine woke up and asked for the password. The problem was that an extra copy of the key remained in kernel memory anyway because a kernel keyring lifetime guarantee no longer held after a refactor. That made this a nasty silent failure, not a crash or obvious breakage.
If you rely on encrypted suspend rather than full hibernation, verify your distro’s exact behavior and add tests for it instead of trusting the prompt on resume. More broadly, treat disk encryption on sleeping laptops as protection that depends heavily on your physical-access threat model, not as a blanket guarantee.
- mathstodon.xyz
- Discuss on HN