| View previous topic :: View next topic |
| Author |
Message |
luckylinux
n00b
Joined: 17 Mar 2012
Posts: 12
|
 Posted: Sat Oct 27, 2012 5:03 pm Post subject: LUKS ask for passphrase after waking up from sleep |
 |
|
Until now I always encrypted my whole / (with a separated unencrypted /boot) partition, however since I almost always put my computer to sleep instead of turning it off, encryption seems to be uneffective.
The reason for this is that if someone steals my PC and doesn't reboot it (or the battery dies), they will have access to all of my data - if they manage to login on the computer (which IMHO can be prevented by something like grsecurity or putting a maximum # of login attemps before locking the system - or rebooting it) - they would be able to see all of my data and settings.
I see now there is an alternative that may be able to solve this problem but would require a few additionnal configuration (editing the init scripts, ...): "luksSuspend" / "luksResume". I would therefore need to leave unencrypted the following directories:
- /boot (expecially if using GPT)
- /
- /sbin (for cryptsetup)
I don't know if other directories should also left unencrypted. Since all init scripts are in /etc/rc.d, maybe they should as well be left unencrypted but that's a BIG security risk (/etc usually contains all networking passwords like VPN's, maybe other devices' encryption keys, ...). Not sure if a random-key encrypted swap would pose a problem (probably it does).
Did anyone of you try to implement luksSuspend / luksResume? How did you do that?
Or are there others alternatives?
Remark: I'm looking to implement suspend to ram (also known as "sleep" / "standby mode" / "suspend") with encryption support. I'm NOT looking to implement suspend to disk (also known as "hibernate"). Since almost all of my PCs run on SSDs swap would be nonsense. For a desktop I may as well put a HDD dedicated for swap, but with 16GB+ RAM I don't think I'll ever need it (but who knows  ).
Edit: I'd also like to be able to mount my encrypted partition(s) over SSH (using the Dropbear trick into the initramfs image) |
|
| Back to top |
|
 |
rufnut
Apprentice
Joined: 16 May 2005
Posts: 184
|
| Posted: Sat Dec 15, 2012 1:54 am Post subject: |
|
|
| Quote: | Remark: I'm looking to implement suspend to ram (also known as "sleep" / "standby mode" / "suspend") with encryption support. I'm NOT looking to implement suspend to disk (also known as "hibernate"). Since almost all of my PCs run on SSDs swap would be nonsense. For a desktop I may as well put a HDD dedicated for swap, but with 16GB+ RAM I don't think I'll ever need it (but who knows ).
|
Hi, I don't run SSD but if I did, I would still hibernate.
| Code: | free
total used free shared buffers cached
Mem: 16362728 5217692 11145036 0 135720 3418856
-/+ buffers/cache: 1663116 14699612
Swap: 10485756 0 10485756
|
I don't think my 10GB swap gets used for much anyway.
Otherwise maybe you could look at Tresor.
I was suspending before with a similar setup to you but just adding:
| Code: | | real_resume=/dev/whatever/swap resume=/dev/whatever/swap |
the above was enough to make it work once I resized my swap in the encrypted lvm container.
| Quote: |
Edit: I'd also like to be able to mount my encrypted partition(s) over SSH (using the Dropbear trick into the initramfs image) |
This has also been done but has a minor vulnerability.
I don't know much about this subject but it seems to just work for me.
(never thought I would say that about linux and its abilities let alone encryption.)
 |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
