I'm on Ubuntu 13.04 using full disk encryption (LVM on top of LUKS).
I would like to incorporate luksSuspend
into the suspend procedure (and later use luksResume
) so that I can suspend to RAM without leaving key material on memory and the root unlocked.
I've been trying for the last 7 hours to port a script for Arch Linux, so far without success: I honestly have no idea of what I'm doing…
Can anyone help me port this (or create something like this from scratch)? Or, at least, can anyone point me to documentation about how to hook stuff into the suspend procedures and how to keep the necessary binaries and scripts (such as cryptsetup) available even after all IO to root has been blocked (by luksSuspend
)?
Concerning how to keep the necessary binaries and scripts available for resume, this other blog post (also for Arch) copied them to /boot
; I would like however to use something more in the lines what Vianney used in the script I mentioned before, because that approach appears to be a bit more elegant in this aspect.
Best Answer
I've come across the same problem, so I took another shot at porting the same script, which you can see here. It doesn't touch any non-volatile storage after
luksSuspend
, so it works even with real full-disk encryption with an encrypted /boot. However, you'll need to be careful -- it might not work as expected occasionally!The ported script does the following:
/sys
,/proc
,/dev
,/run
) to the ramfs mountluksSuspend
, and puts the computer to sleepluksResume
, remount filesystems, restart services, unmount bind mounts in the initramfs mountI've yet to do extensive testing on my script, but it seems to work reliably for me. If you use another filesystem (i.e. not ext4 or btrfs), then you might experience issues with barrier, so you'll need to modify the script too.
Either way, it's good to test and verify that the scripts work first. If you experience hangs while attempting to put Linux into S3 (i.e. at
echo mem > /sys/power/state
), then you should be able to recover:sudo cryptsetup luksResume anything_here
starting version xxx
is displayed on the new vt), switch to the tty you opened earlier and runsudo cryptsetup luksResume your_luks_device_name_here
/run/initramfs
:sudo chroot /run/initramfs /bin/ash
luksResume
:cryptsetup luksResume your_luks_device_name_here && exit
/run/initramfs
, and remount your root filesystem with barrier if applicable.