Close lid to encrypt Hard disk encryption in Linux suspend mode Tim - - PowerPoint PPT Presentation

▶

Apr 03, 2024 224 likes •398 views

Close lid to encrypt Hard disk encryption in Linux suspend mode Tim Dittler FOSDEM, 02.02.2020 Whats Close lid to encrypt? Project by Jonas Meurer and me Freelancing systems engineers living in Germany Full-disk encryption

SLIDE 1

Close lid to encrypt

Hard disk encryption in Linux suspend mode

Tim Dittler FOSDEM, 02.02.2020

SLIDE 2

2

What‘s „Close lid to encrypt“?

Project by Jonas Meurer and me

– Freelancing systems engineers

living in Germany

Full-disk encryption in suspend mode
For Debian and derivatives

SLIDE 3

3

Why is is useful?

Full-disk encryption protects your

data only at rest

powerofg working suspend working powerofg powerofg working suspend working powerofg

SLIDE 4

4

Why is it diffjcult?

Well, we‘re locking away your running
perating system!
Race conditions

– Prevent access to locked fjlesystems – Otherwise kernel will wait forever

Memory management

– Swap on harddrive is encrypted

SLIDE 5

5

How is it implemented?

systemd-suspend.service cryptsetup-suspend-wrapper

SLIDE 6

6

How is it implemented?

systemd-suspend.service cryptsetup-suspend-wrapper cryptsetup-suspend.c build initramfs; freeze cgroups; chroot

SLIDE 7

7

How is it implemented?

systemd-suspend.service cryptsetup-suspend-wrapper cryptsetup-suspend.c build initramfs; freeze cgroups; chroot kernel mlock; /sys/power/sync_on_suspend = 0; sync; luks-suspend; suspend

SLIDE 8

8

/sys/power/sync_on_suspend ???

SLIDE 9

9

How is it implemented?

systemd-suspend.service cryptsetup-suspend-wrapper (unlock session) clean up; unfreeze cgroups; cryptsetup-suspend.c build initramfs; freeze cgroups; chroot unlock luks devices kernel mlock; /sys/power/sync_on_suspend = 0; sync; luks-suspend; suspend resume

SLIDE 10

10

Demo

SLIDE 11

11

Demo

SLIDE 12

12

What‘s next?

More testing
Merge upstream

– Debian Bullseye: „apt install cryptsetup-suspend“

How to handle situations with low

available memory?

There are more secrets in your

memory than LUKS keys

SLIDE 13

13

Thanks

Cryptsetup authors

– Jana Saout <jana@saout.de> – Clemens Fruhwirth <clemens@endorphin.org> – Milan Broz <gmazyland@gmail.com> – Ondrej Kozina <okozina@redhat.com>

Cryptsetup Debian maintainers

– Guilhem Moulin <guilhem@debian.org> – Jonas Meurer <jonas@freesources.org> –

SLIDE 14

14

Thanks

Inspiration

– Vianney le Clément de Saint-Marcq

<vleclement@gmail.com>

https://github.com/vianney/arch-luks-suspend

– Jen Bowen <jen@nailfarmer.com>

https://github.com/nailfarmer/debian-luks-suspend/

SLIDE 15

15

Thanks

SLIDE 16

Close lid to encrypt

Hard disk encryption in Linux suspend mode

Tim Dittler FOSDEM, 02.02.2020

2

What‘s „Close lid to encrypt“?

– Freelancing systems engineers

living in Germany

3

Why is is useful?

data only at rest

4

Why is it diffjcult?

– Prevent access to locked fjlesystems – Otherwise kernel will wait forever

– Swap on harddrive is encrypted

5

How is it implemented?

6

How is it implemented?

7

How is it implemented?

8

/sys/power/sync_on_suspend ???

9

How is it implemented?

10

Demo

11

Demo

12

What‘s next?

– Debian Bullseye: „apt install cryptsetup-suspend“

available memory?

memory than LUKS keys

13

Thanks

– Jana Saout <jana@saout.de> – Clemens Fruhwirth <clemens@endorphin.org> – Milan Broz <gmazyland@gmail.com> – Ondrej Kozina <okozina@redhat.com>

– Guilhem Moulin <guilhem@debian.org> – Jonas Meurer <jonas@freesources.org> –

14

Thanks

– Vianney le Clément de Saint-Marcq

<vleclement@gmail.com>

– Jen Bowen <jen@nailfarmer.com>

15

Thanks

16

https://salsa.debian.org/ mejo/cryptsetup-suspend/ tim.dittler@systemli.org