LUKS encryption keys are not dumped on suspend/hibernate
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu |
New
|
Undecided
|
Unassigned |
Bug Description
I have installed Xubuntu 11.10 from the "alternate" installer disc and set up whole-disk encryption through the official installer. I am almost 100% certain that when I suspend my machine, my disk's encryption key is left in RAM, and when I hibernate, my key is saved to disk (very bad!). My evidence for this is pretty simple: Upon resuming the machine, no password needs to be entered in order to unlock the disk (only the xscreensaver password, which can be entirely different). This is a major security vulnerability because it means that someone who steals a suspended or hibernated laptop could decrypt its disk using the (unencrypted, readily available) key in RAM or on disk. Worse, I suspect the key would remain on disk even after a shutdown (following a hibernate) unless some secure erase method is used. Since laptops are both the types of machines that people typically encrypt and the types of machines that people typically suspend/hibernate, this seems like a huge security issue to me.
visibility: | private → public |
Changed in ubuntu: | |
status: | Invalid → Opinion |
Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https:/ /wiki.ubuntu. com/Bugs/ FindRightPackag e. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.
To change the source package that this bug is filed about visit https:/ /bugs.launchpad .net/ubuntu/ +bug/937361/ +editstatus and add the package name in the text box next to the word Package.
[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]