On Sat, 2020-09-19 at 23:17 +0000, procmem at riseup.net
wrote:> Hi. There is a new cryptsetup feature that is supposed to protect
> user data while the PC is in standby. It wipes the key from RAM when
> sleep events are triggered. While it protects LUKS, other data and
> keys loaded in RAM at the time are still vulnerable to forensic
> recovery. Can you please consider adding a sleep key cache wipe
> feature to OpemSSH?
It already exists:
ssh-add -D
you just have to plumb it in to the suspend hooks. It's also not
really the big problem: most people have gnome-keyring/kde-wallet
manage these keys. Nowadays it runs ssh-agent under the covers and adds the
keys from the config files based on the passwords in the login keyring, so
you'd have to lock the login keyring as well on suspend and unlock it on
resume ... probably by hooking the screensaver password in to it somehow and
then have it re-populate ssh-agent. That's a lot of highly distro specific
plumbing.
James