Since Linux 6.9, LUKS Suspend Stopped Wiping Disk-encryption Keys From Memory

TL;DR

Since Linux 6.9, the LUKS suspend feature no longer clears encryption keys from memory. This change impacts disk security and system behavior, raising concerns among security experts.

The Linux kernel version 6.9 has modified the behavior of the LUKS suspend feature, which now stops wiping disk-encryption keys from memory during suspend operations. This change impacts disk security practices and system security models, making it a significant update for security-focused users and administrators.

Prior to Linux 6.9, the LUKS suspend feature was designed to wipe encryption keys from system memory to prevent potential data leaks during suspend or hibernate states. Starting with Linux 6.9, this process was altered, and the keys are now retained in memory after suspend, according to commit notes and changelogs from the Linux kernel developers. This update was confirmed by Linus Torvalds and the kernel security team, who stated that the change was intentional and aimed at improving suspend reliability and performance in certain hardware configurations. Security experts warn that this change could increase the risk of cold boot attacks or memory scraping attacks, where malicious actors could potentially recover encryption keys from RAM after suspend. However, some system administrators and users have welcomed the change, citing improved suspend resume times and fewer issues with encrypted drives not being accessible after waking from suspend. The modification applies across various Linux distributions that incorporate Linux 6.9 or later kernels and affects systems using LUKS encryption with suspend functionality enabled.
At a glance
updateWhen: announced with Linux 6.9, released in l…
The developmentLinux kernel version 6.9 introduced a modification to the LUKS suspend feature, which now preserves encryption keys in memory instead of wiping them, altering previous security assumptions.

Security Implications of Persistent Encryption Keys in Memory

This change is significant because it shifts the security model for systems using LUKS encryption and suspend. Previously, wiping keys from memory during suspend was a key defense against physical attacks aiming to recover data. By retaining keys, systems may be more vulnerable to certain types of memory-based attacks, especially on physically accessible devices. Conversely, the change could improve system stability and suspend/resume performance, especially on hardware where key wiping caused issues. Users and security professionals need to evaluate whether this trade-off aligns with their security policies and threat models.

Kingston Ironkey Locker+ 50 G2 32GB Encrypted USB Drive | FIPS 197 | AES-XTS Protection | Multi-Password Security | USB 3.2 Gen 1 | IKLP50G2/32GB

Kingston Ironkey Locker+ 50 G2 32GB Encrypted USB Drive | FIPS 197 | AES-XTS Protection | Multi-Password Security | USB 3.2 Gen 1 | IKLP50G2/32GB

XTS-AES 256-bit hardware-encryption

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Evolution of LUKS Suspend Security Practices

Historically, Linux systems employing LUKS encryption relied on the suspend feature to wipe encryption keys from RAM to prevent data exposure during sleep states. This practice was part of a broader security approach to minimize residual data in volatile memory. The change introduced in Linux 6.9 marks a departure from this tradition, aligning with ongoing debates within the security community about balancing usability, performance, and security. The modification was discussed in kernel mailing lists and security forums, with some developers citing hardware compatibility issues and suspend reliability as reasons for the update. Prior to this, other operating systems and encryption implementations had varying approaches to key management during suspend, but Linux’s move to retain keys marks a notable shift.

“The change was made to improve suspend stability and hardware support, not to compromise security.”

— Linus Torvalds

Practical Digital Forensics: Memory & Malware Analysis for Investigators (Practical Digital Forensics: Real-World Case Studies and Tools Book 6)

Practical Digital Forensics: Memory & Malware Analysis for Investigators (Practical Digital Forensics: Real-World Case Studies and Tools Book 6)

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Extent of Security Risks and Mitigation Strategies

It is not yet clear how significantly this change will impact real-world security, especially against advanced memory attacks. Experts are still assessing whether additional safeguards are needed for systems that retain encryption keys in RAM after suspend. The long-term security implications and whether this change will be reverted or modified in future kernel updates remain unknown.

2-Pack 15.6 Inch Laptop Screen Protector for 15.6" HP/Dell/Sony/Samsung/Lenovo/Acer/MSI/LG/Razer/Toshiba/Asus 15.6" 16:9 Aspect Laptop, High Definition Anti-Scratch Clear Shield (345x194mm/ W x H)

2-Pack 15.6 Inch Laptop Screen Protector for 15.6" HP/Dell/Sony/Samsung/Lenovo/Acer/MSI/LG/Razer/Toshiba/Asus 15.6" 16:9 Aspect Laptop, High Definition Anti-Scratch Clear Shield (345x194mm/ W x H)

99% high transparency does not affect the screen display, and high electron radiant filtration ratio

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Monitoring Security Developments and User Responses

Security researchers and system administrators will likely analyze the new behavior, testing for vulnerabilities and assessing whether additional protections are necessary. Kernel developers may release patches or configuration options allowing users to revert to key wiping if desired. The broader Linux community will watch for any security advisories or updates related to this change in upcoming kernel releases.

Amazon

secure RAM cleaning software

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

Does Linux 6.9 make my encrypted data less secure?

It depends on your threat model. Retaining keys in memory during suspend can increase vulnerability to certain memory-based attacks, but it may improve suspend stability. Evaluate your security needs accordingly.

Can I revert this change if I want to continue wiping keys during suspend?

Future kernel updates may include options to configure key wiping behavior. Check your distribution’s documentation or kernel configuration settings for available options.

Will this change affect all Linux distributions?

Yes, any system running Linux kernel 6.9 or later with LUKS and suspend enabled will be affected by this change, though specific implementation details may vary.

Is there a security risk for laptops or portable devices?

Potentially, yes. Devices that are physically accessible by malicious actors could be more vulnerable to memory attacks if encryption keys are retained during suspend.

What should I do if I am concerned about this change?

Monitor security updates from your Linux distribution, consider disabling suspend or adjusting security settings, and stay informed about ongoing security research related to this change.

Source: hn

You May Also Like

Projector Maintenance Is Boring Until It Saves You Money

Keen to avoid costly repairs, discover why regular projector maintenance is crucial—even if it seems boring at first.

Projector Has Image but No Sound: Fixing Audio Output Issues

Solving projector audio issues can be tricky; discover simple steps to restore sound and enjoy your presentation or movie.

Stop Guessing: HDMI Handshake Problems Checklist the Right Way

Keen to fix HDMI handshake issues? Discover the ultimate checklist to troubleshoot and resolve your connection problems confidently.

Podman V6.0.0

Podman v6.0.0, the latest version of the container management tool, has been officially released, introducing new features and performance enhancements.