From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <wolfgang.aigner@stachelkaktus.net>
Received: from biene.stachelkaktus.net (biene.stachelkaktus.net
 [151.80.32.172])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mail.server123.net (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Tue, 29 Aug 2017 14:42:32 +0200 (CEST)
Received: from schwan.lan (p54B1F949.dip0.t-ipconnect.de [84.177.249.73])
 by biene.stachelkaktus.net (OpenSMTPD) with ESMTPSA id edc4e394
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO) for <dm-crypt@saout.de>;
 Tue, 29 Aug 2017 14:42:32 +0200 (CEST)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 by schwan.lan (Postfix) with ESMTP id 88DBAF583F4
 for <dm-crypt@saout.de>; Tue, 29 Aug 2017 14:42:30 +0200 (CEST)
References: <f1d18fbc-706f-593c-6d77-a5981f7cb8bd@stachelkaktus.net>
 <85c98a26-f67a-21bd-76a6-1ed9ce48b5fa@gmail.com>
From: dm-crypt@stachelkaktus.net
Message-ID: <98dd7f23-31c3-1935-2524-9f58a14234ea@stachelkaktus.net>
Date: Tue, 29 Aug 2017 14:42:30 +0200
MIME-Version: 1.0
In-Reply-To: <85c98a26-f67a-21bd-76a6-1ed9ce48b5fa@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Subject: Re: [dm-crypt] luksSuspend for plain dm-crypt
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

Hello Milan,

thanks a lot, that helps.

> it is quite easy with dmsetup, but unlike LUKS, there is not a way how
> you can check that reinstated key is correct (you can resume target with different
> key and cause severe data corruption - that's why we do not support it in cryptsetup).

Ok, I can understand that problem. I will fix it in my script with a
compare to SHA-256(key) that I will store on the ramdisk. Only if the
key matches the script will continue.

> Note that in future we will optionally support activation through kernel keyring,
> so you will put key there, not to dmsetup.

That sounds interesting, but I'm not sure if it will help. I try to kill
the erase the key before I suspend on ram so that cold boot attack don't
work here. If its in the kernel keyring It should be still possible to
find it in the memory. Or have I misread that keyring conzept?

-- 
cheers

wof