A script for Debian to lock the encrypted root volume on suspend.
Modified from the original arch-luks-suspend for Arch Linux.
Further modified to work on Buster.
Now with optional gui support through Plymouth bootsplash!
When using debian's default full-disk encryption using LUKS, the encryption
key is kept in memory when suspending the system. This drawback defeats the
purpose of encryption if you carry around your suspended laptop a lot. One
can use the cryptsetup luksSuspend
command to freeze all I/O and flush the
key from memory, but special care must be taken when applying it to the root
device.
The debian-luks-suspend
script replaces the default suspend mechanism of
systemd. It changes root to the initramfs in order to perform the
luksSuspend
, actual suspend, and luksResume
operations.
When successfully completed, it uses loginctl to unlock the user session to reduce password fatigue.
With kernels prior to 5.6, to avoid hangs when suspending, you will need a kernel compiled with CONFIG_SUSPEND_SKIP_SYNC=y. The default debian kernels do not have this option enabled. See the kernel team documentation for instructions on how to compile a custom kernel for debian.
Please report any breakage to the issue tracker.
The scripts assume you're using systemd, and are untested in all but the most generic of lvm setups. It currently breaks under grsecurity, and probably won't work if you're using lvm+raid. It makes no security guarantees whatsoever. You have been warned.
To install, run 'make install' as root and reboot. For plymouth splash support, run 'make plymouth', 'make install', and reboot. To remove plymouth splash support, run 'make noplymouth', 'make install', and reboot.
Copyright 2019 Jen Bowen [email protected]
Based very heavily on work by Vianney le Clément de Saint-Marcq [email protected]
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 3 of the License.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with This program. If not, see http://www.gnu.org/licenses/.