Top stories
LUKS suspend stopped wiping disk-encryption keys from memory since Linux 6.9
- Category: Security
- Status: confirmed
- Sources: author write-up, culprit commit, one-line fix, HN discussion
- Summary: Ingo Blechschmidt git-bisected a regression showing that since Linux 6.9 (May 2024) the mechanism that flushes a LUKS master key on suspend to RAM silently stopped working, so full-disk-encryption keys stayed resident in kernel memory across suspend for over two years. A kernel refactoring (commit a28d893) had an unexpected long-range interaction with the encryption path; the fix is one line. A cryptsetup merge request adds a warning instead of failing silently, and a NixOS test guards against future regressions.
- Comments: HN commenters note the class of bug: everything still worked, so the failure never announced itself, and a suspended laptop that is seized or stolen would surrender its key. Some observed that a full shutdown still wiped the key, but suspend is the common case.
- Why it matters: Anyone relying on LUKS to protect a lost or seized laptop lost that protection across suspend on kernels 6.9 and later until the fix propagates through stable trees and distributions.
- Follow-up: Track backport into stable kernel trees and distribution updates, and the cryptsetup warning landing in a release.