Normally I don't shutdown my notebook any more in favour of using suspend-to-RAM. The downside is that my encrypted home partition is completely accessible after resume without entering the passphrase. A bad idea if someome steals your notebook...
Looking at cryptsetup's manpage. I've learned that LUKS now supports the luksSuspend and luksResume command. Has luksSuspend and luksResume been integrated in the scripts doing suspend-to-RAM and resume?
When using Ubuntu Full Disk Encryption(that is based on dm-crypt with LUKS) to set up full system encryption, the encryption key is kept in memory when suspending the system. This drawback defeats the purpose of encryption if you carry around your suspended laptop a lot. One can use the cryptsetup luksSuspend command to freeze all I/O and flush the key from memory.
ubuntu-luks-suspend is an attempt to change the default suspend mechanism. The basic idea is to change to a chroot outside of the encrypted root fs and then lock it (withcryptsetup luksSuspend)
here is another example of ubuntu 14.04 cryptsetup luks suspend/resume root partition "almost works" :-)
one reason it works for arch and "almost works" for ubuntu could be that ubuntu kernel as of
Linux system 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
is still "too old": the following patch is not there yet:
make sync() on suspend-to-RAM optional
so any pm-utils or user code that issues any form of
clear keys & sleep request, such as:
cryptsetup luksSuspend root
echo -n "mem" >/sys/power/state
will result in kernel in a call to sys_sync() which in turn causes a deadlock in dm-crypt (by design, after luks suspend)
Actually, you just need to ensure that your screensaver passphrase is required on resume from suspend, and you'll be safe.
This will ensure that someone resuming your laptop from suspend will have to enter a password before they can get into the computer.
