A script for Arch Linux to lock the encrypted root volume on suspend.
When using dm-crypt with LUKS to set up full system encryption, the
encryption key is kept in memory when suspending the system. This drawback
defeats the purpose of encryption if you carry around your suspended laptop
a lot. One can use the cryptsetup luksSuspend
command to freeze all I/O and
flush the key from memory, but special care must be taken when applying it to
the root device.
The arch-lux-suspend
script replaces the default suspend mechanism of
systemd. It changes root to initramfs in order to perform the luksSuspend
,
actual suspend, and luksResume
operations. It relies on the shutdown
initcpio hook to provide access to the initramfs.
- Install this package with
makepkg -i
, or alternatively, runmake install
as root. - Edit
/etc/mkinitcpio.conf
and make sure the following hooks are enabled:udev
,encrypt
,shutdown
,suspend
. - Rebuild the initramfs:
mkinitcpio -p linux
. - Enable the service:
systemctl enable arch-luks-suspend.service
- Reboot.
Copyright 2013 Vianney le Clément de Saint-Marcq [email protected]
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; version 3 of the License.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with This program. If not, see http://www.gnu.org/licenses/.