• Category: Security
  • Status: confirmed
  • Sources: author write-up, culprit commit, one-line fix, HN discussion
  • Summary: Ingo Blechschmidt git-bisected a regression showing that since Linux 6.9 (May 2024) the mechanism that flushes a LUKS master key on suspend to RAM silently stopped working, so full-disk-encryption keys stayed resident in kernel memory across suspend for over two years. A kernel refactoring (commit a28d893) had an unexpected long-range interaction with the encryption path; the fix is one line. A cryptsetup merge request adds a warning instead of failing silently, and a NixOS test guards against future regressions.
  • Comments: HN commenters note the class of bug: everything still worked, so the failure never announced itself, and a suspended laptop that is seized or stolen would surrender its key. Some observed that a full shutdown still wiped the key, but suspend is the common case.
  • Why it matters: Anyone relying on LUKS to protect a lost or seized laptop lost that protection across suspend on kernels 6.9 and later until the fix propagates through stable trees and distributions.
  • Follow-up: Track backport into stable kernel trees and distribution updates, and the cryptsetup warning landing in a release.

Send feedback on this story