Ubuntu – How to make suspend to RAM secure on Ubuntu with full disk encryption (LVM on top of LUKS)

encryptionlukslvmsuspendUbuntu

I'm on Ubuntu 13.04 using full disk encryption (LVM on top of LUKS).

I would like to incorporate luksSuspend into the suspend procedure (and later use luksResume) so that I can suspend to RAM without leaving key material on memory and the root unlocked.

I've been trying for the last 7 hours to port a script for Arch Linux, so far without success: I honestly have no idea of what I'm doing…

Can anyone help me port this (or create something like this from scratch)? Or, at least, can anyone point me to documentation about how to hook stuff into the suspend procedures and how to keep the necessary binaries and scripts (such as cryptsetup) available even after all IO to root has been blocked (by luksSuspend)?

Concerning how to keep the necessary binaries and scripts available for resume, this other blog post (also for Arch) copied them to /boot; I would like however to use something more in the lines what Vianney used in the script I mentioned before, because that approach appears to be a bit more elegant in this aspect.

Best Answer

I've come across the same problem, so I took another shot at porting the same script, which you can see here. It doesn't touch any non-volatile storage after luksSuspend, so it works even with real full-disk encryption with an encrypted /boot. However, you'll need to be careful -- it might not work as expected occasionally!

The ported script does the following:

Create a ramfs mount somewhere
Extract the contents of initramfs there (including the initramfs suspend script)
Bind mount relevant directories (e.g. /sys, /proc, /dev, /run) to the ramfs mount
Stop any services that may interfere (systemd-udevd, systemd-journald)
Remount the root filesystem (ext4 or btrfs) with nobarrier so Linux doesn't hang while trying to go into S3, then sync
Chroot into the initramfs mount, which syncs again, runs luksSuspend, and puts the computer to sleep
After wake, luksResume, remount filesystems, restart services, unmount bind mounts in the initramfs mount
Finally, unmount the initramfs mount so that we free the RAM used for the initramfs files

I've yet to do extensive testing on my script, but it seems to work reliably for me. If you use another filesystem (i.e. not ext4 or btrfs), then you might experience issues with barrier, so you'll need to modify the script too.

Either way, it's good to test and verify that the scripts work first. If you experience hangs while attempting to put Linux into S3 (i.e. at echo mem > /sys/power/state), then you should be able to recover:

Before suspending, open a tty or other terminal (that will be accessible, so ideally a tty)
Load cryptsetup and relevant libraries into RAM: sudo cryptsetup luksResume anything_here
Suspend using the script
If it hangs after the chroot (e.g. after starting version xxx is displayed on the new vt), switch to the tty you opened earlier and run sudo cryptsetup luksResume your_luks_device_name_here
If that hangs too, open another vt and chroot into /run/initramfs: sudo chroot /run/initramfs /bin/ash
Try to run luksResume: cryptsetup luksResume your_luks_device_name_here && exit
Your computer should then suspend. You can then wake it up, kill the script(s) if they are still running, unmount the bind mounts and /run/initramfs, and remount your root filesystem with barrier if applicable.

Related Solutions

Uefi and full disk encryption with lvm on luks

Yeah, i know it's a pretty late answer but, better late than never...

I don't know if Debian has the tools to do it, but using Arch Linux you can create a disk layout like this:

EFI partition(mounted /boot/efi) with grub EFI bootloader, formated fat32 EFI type partition EF00. Could be your /dev/sda1. This partition will only hold grub stub, to ask password to mount your boot partition.
boot partition(mounted /boot) that is a luks crypto device. After crypto unlocking this partition, you can format it using any filesystem that grub supports to but(ext4 for example). This will be your /dev/sda2
Crypto device that will store all remaining partitions as logical volumes. Crypto device, with LVM and its logical volumes(3 layers). This will be your /dev/sda3.
- Here, you can create as many logical volumes as you want/need. The key that unlocks this partition will be used to access data on all it's logical volumes.

Borrowing from Arch Wiki, this is how your disk layout will looks like:

+---------------+----------------+----------------+----------------+----------------+
|ESP partition: |Boot partition: |Volume 1:       |Volume 2:       |Volume 3:       |
|               |                |                |                |                |
|/boot/efi      |/boot           |root            |swap            |home            |
|               |                |                |                |                |
|               |                |/dev/store/root |/dev/store/swap |/dev/store/home |
|/dev/sdaX      |/dev/sdaY       +----------------+----------------+----------------+
|unencrypted    |LUKS encrypted  |/dev/sdaZ encrypted using LVM on LUKS             |
+---------------+----------------+--------------------------------------------------+

Caveats:

Grub will ask for a password to unlock /boot, initial ram disk will ask for a password AGAIN(cause for him, /boot is locked), and probably while mounting your root partition this will happen once more. The trick here is to use a master key inside your /boot(and maybe inside your initrd with the FILES= option of mkinitcpio and add it with luksAddKey. Your boot partition is encrypted so, there is no need to be worried cause the key is inside an encrypted partition. chmod 000 keyfile.bin is your friend.
Add encrypt lvm2 to mkinitcpio hooks.
If for some reason your system is not able to use the key, a password will be asked again.
You will still be vulnerable to Evil Maid attacks that explore Cold Boot failures. The best you can do here is:
- Enable Secure Boot.
- Sign your Grub EFI.
- Revoke Microsoft CA on your Motherbord(you know, can't trust anyone).
- Remember to Sign you grub efi whenever you have a grub-efi package update.

Further Reading:

After some research about the need of keeping boot partition outside lvm(as far as i know, grub-pc/bios had lvm and luks modules) i found this guy on Arch Forums confirming that there is no need to keep /boot on a spare crypto partition.

You can install grub on your ESP, and also tell it to read the configuration files from esp like this:

# grub-install --target=x86_64-efi --efi-directory=esp --bootloader-id=grub --boot-directory=esp

after that, regenerate conf:

# grub-mkconfig -o esp/grub/grub.cfg

And, it seems that grub is the only bootloader that have support to boot lvm+crypto without a separated /boot partition.

Linux – How to manually setup grub on a seperate boot partition with LVM over LUKS full disk encryption

I usually recover grub from within chroot. So, boot from a live distro and...

Open the LUKS volume:

# cryprsetup open /dev/sdc2 luks-mint

Activate LVM volumes:

# vgscan
# vgchange -a y vg_mint
# lvscan

Mount Mint and get ready for chroot:

# mount /dev/mapper/vg_mint-root /mnt
# mount /dev/sdc1 /mnt/boot
# mount --rbind /dev /mnt/dev
# mount --rbind /sys /mnt/sys
# mount -t proc none /mnt/proc

chroot into Mint:

# env -i HOME=/root TERM=$TERM chroot /mnt bash -l

Configure and install grub, exit chroot:

(chroot)# grub2-mkconfig > /boot/grub2/grub.cfg
(chroot)# grub2-install /dev/sdc
(chroot)# exit

Reboot.

P.S.: replace VG and LV names accordingly.

P.P.S: i assumed Linux Minut uses grub2, if not, remove the '2' from both grub commands.

Best Answer

Related Solutions

Uefi and full disk encryption with lvm on luks

Linux – How to manually setup grub on a seperate boot partition with LVM over LUKS full disk encryption

Related Question