Since Linux 6.9, LUKS suspend stopped wiping disk-encryption keys from memory
A critical security flaw was unearthed in Linux 6.9+ where LUKS disk encryption failed to wipe keys from memory upon suspend, leaving systems vulnerable for over two years. This silent failure, stemming from a seemingly innocuous code refactoring, highlights the treacherous complexities of kernel development and the constant vigilance required for robust security. The discovery, followed by a one-line fix and new safeguards, has sparked a lively debate on HN about the intricacies of open-source security and the practical realities of system suspend states.
The Lowdown
A significant vulnerability affecting Linux users since kernel 6.9 (May 2024) has been exposed: the cryptsetup-luksSuspend tool, intended to wipe disk encryption keys from memory when a laptop suspends, was silently failing. This left full-disk encrypted systems susceptible to cold boot attacks or memory forensics if seized while powered on in a suspended state.
- The Bug: For over two years, Linux systems running kernels 6.9 and later did not properly clear LUKS disk encryption keys from RAM upon suspend, contrary to expectations and previous kernel behavior.
- Impact: This created a significant security hole, as the encryption key remained resident in memory, making data potentially accessible to attackers if the suspended laptop was physically compromised.
- Root Cause: The issue was traced to a "sensible and useful refactoring" in the kernel, which inadvertently introduced a long-range interaction that broke the key-wiping functionality in the encryption code.
- The Fix: The author, Ingo Blechschmidt, painstakingly debugged the problem and identified a fix that amounted to a single line of code.
- Mitigation & Prevention: Beyond the immediate patch, efforts are underway to add an automated test (via NixOS) to prevent similar regressions and to implement a warning mechanism (in cryptsetup) if the
luksSuspendcommand fails.
The discovery underscores the immense challenges in maintaining complex software systems like the Linux kernel, where subtle changes can have far-reaching and critical security implications, often going unnoticed for extended periods.
The Gossip
Suspending Security Scrutiny
Commenters initially questioned whether keys are *ever* supposed to be wiped during suspend-to-RAM, confusing it with hibernate. The original poster clarified that `cryptsetup-luksSuspend` is a specific mechanism designed to do exactly that, and it had worked reliably until kernel 6.9. This distinction was crucial, highlighting that the bug wasn't a misunderstanding of suspend, but a failure of an explicit security feature.
Kernel Complexity's Consequences
A recurring sentiment was that such an obscure, yet critical, bug is a symptom of the Linux kernel's massive and decentralized development. Some argued it's an inevitable "hodgepodge" where no single person can grasp the entirety, making such regressions hard to prevent. Others countered that this complexity is a natural outcome of any large, evolving codebase, proprietary or open-source, and that open-source at least allows for community scrutiny and eventual discovery/fix of such issues, unlike potential covert backdoors in closed systems.
To Suspend or to Shut Down?
The discussion branched into the practicalities and security trade-offs of different power states. Some users advocated for full shutdowns due to Linux's long-standing suspend reliability issues, while others found this impractical or environmentally unsound. The author also introduced 'suspend to (encrypted) swap' as a potential middle-ground for better security. A brief tangent also debated whether VeraCrypt is the 'canonical' Windows encryption software, with some asserting BitLocker's dominance in enterprise.