Linux 6.9 quietly broke LUKS suspend — your keys stay in RAM

5 min read 1 source clear_take
├── "This is a serious silent regression that undermines the entire purpose of luksSuspend"
│  ├── Ingo Blechschmidt (Mastodon) → read

Blechschmidt discovered and publicized the regression, demonstrating with a simple reproducer that grepping /proc/kcore after luksSuspend still reveals the master key in plaintext. He frames this as particularly dangerous because the command still returns success and appears to work, giving users false confidence in a security guarantee that no longer holds.

│  └── top10.dev editorial (top10.dev) → read below

Argues that silent regression is worse than outright removal because users who audited the behavior in 2022 have no reason to re-audit in 2026. The editorial emphasizes that luksSuspend exists for exactly one narrow threat model — physical seizure of a running laptop — and that failing silently at that one job destroys the tool's reason to exist.

├── "The root cause is a specific oversight in the 6.9 dm-crypt per-CPU rework, not a fundamental design flaw"
│  └── top10.dev editorial (top10.dev) → read below

Traces the bug to the dm-crypt rework that moved AES round-key schedules into per-CPU storage for cache-line contention reasons on high-core-count systems. The suspend path was updated to release the primary key structure but the per-CPU shadows were omitted from teardown, meaning up to N copies of the key remain resident on an N-core machine — a mechanical oversight rather than a conceptual failure.

└── "The severity depends heavily on threat model — most users are unaffected"
  └── top10.dev editorial (top10.dev) → read below

Notes that for a desktop user with a physically secured machine, this changes nothing because the local cold-boot/DMA attack surface is not part of their threat model. The real victims are laptop users and travelers who explicitly chose luksSuspend over hibernate precisely because they needed keys evicted from RAM during physical exposure windows.

What happened

On July 1, mathematician and free-software developer Ingo Blechschmidt (@iblech) posted a short Mastodon thread that senior kernel folks are now scrambling to confirm: since Linux 6.9, the `cryptsetup luksSuspend` command no longer wipes the LUKS master key from kernel memory. The command still runs, still returns success, still freezes I/O to the encrypted device, and still asks for your passphrase on resume. What it stops doing is the one thing that made it worth running in the first place.

The reproducer is embarrassingly simple. Suspend the volume with `cryptsetup luksSuspend `, then grep `/proc/kcore` (or, on a live system, dump physical memory via any of the usual channels) for the known key bytes. Pre-6.9, the key was gone. From 6.9 onward, it is still sitting there, in plaintext, exactly where a cold-boot or DMA attacker would look for it.

The cause traces back to the dm-crypt rework that landed in 6.9, which moved the AES round-key schedule into per-CPU storage to reduce cache-line contention on high-core-count boxes. The suspend path in `dm-crypt.c` was updated to release the primary key structure, but the per-CPU shadows were never added to the teardown list. Result: on an N-core machine you can be leaving up to N copies of the key resident, and none of them are touched by the suspend ioctl.

Why it matters

LUKS suspend has always been a narrow tool for a specific threat model — the laptop lid closes, someone grabs the machine, and you want the encryption keys physically absent from RAM until you type the passphrase again. It is not a substitute for shutdown; it is a substitute for hibernate when you cannot tolerate hibernate's disk write cost or timing. For that one job, silent regression is worse than removal: users who audited the behavior in 2022 have no reason to re-audit it in 2026.

The severity depends on who you are. For a desktop user with a physically secured machine, this changes nothing — the local attacker was never in your model. For journalists, activists, sysadmins carrying prod credentials, and anyone whose $5-wrench-attack alternative is "seize the laptop while it's asleep," this is a real downgrade. The Evil Maid class of attacks against suspended LUKS volumes has been considered mitigated since roughly 2017; that mitigation is now gone on any distro shipping a 6.9+ kernel, which at this point means every actively maintained distribution.

What's notable is how the regression escaped notice for over a year. LUKS suspend has no automated test in the kernel selftests, no fuzzer coverage, and no Phoronix benchmark. Its correctness is defined by the *absence* of a byte pattern in memory, which is exactly the kind of property CI never checks unless someone writes the check. The cryptsetup project's own test suite exercises the command's exit code and I/O freeze behavior, not the memory state. This is the recurring failure mode of security features: the tests confirm the code path runs, not that the security property holds.

Community reaction on the HN thread (262 points in a few hours) split predictably. One camp: this is a bug, file it, fix it, move on. Another camp, more interesting: LUKS suspend was always a fig leaf, because dm-crypt keeps derived round keys in memory that a determined attacker can reconstruct even after the master key is purged, and because TRESOR-style register-only key storage never made it upstream. The pragmatic middle ground, articulated by a former Red Hat storage engineer in the thread: `luksSuspend` gave you a defense-in-depth win against opportunistic attackers with commodity tools, and losing that win to a silent kernel change is exactly the kind of erosion that makes threat modeling exhausting.

What this means for your stack

If you rely on LUKS suspend as part of your laptop threat model — and you should know whether you do; it is not a default, you had to configure it — assume it is broken on any machine running a 6.9 or newer kernel until proven otherwise. Concretely:

Verify on your own hardware. Suspend a test volume, then run `sudo grep -c /proc/kcore` or use `volatility` against a memory image. If you get hits, you are exposed. Do not trust distro backports without checking; the fix, if it lands, will need to touch per-CPU teardown in a way that is easy to get wrong.

Switch to hibernate-to-encrypted-swap if you can tolerate it. Hibernate flushes RAM to disk and powers off, which sidesteps the whole class of memory-resident-key attacks. The cost is 5–30 seconds of resume latency and the requirement that your swap partition be inside the same LUKS container (or a separate one with the same passphrase gating). For most laptops this is the right answer in 2026 regardless of the 6.9 regression.

If you must use suspend, shorten the window. Configure `systemd-suspend-then-hibernate` with a short timeout — 15 minutes of suspend, then automatic hibernate. You retain the fast resume for coffee-break scenarios and get the strong property back for anything longer. This is the pragmatic answer for the next 6–12 months, regardless of when the upstream fix lands.

For server and CI operators: this does not affect you unless you were doing something exotic with `luksSuspend` in an orchestration context, which is rare. The fleet-wide risk is on developer laptops, not production.

Looking ahead

Expect a patch within the week — this is the sort of regression that gets fixed fast once it's public, and the fix is mechanically obvious (walk the per-CPU array in the suspend teardown). The interesting question is whether the cryptsetup project adds a post-suspend memory assertion to its own test suite so this cannot silently regress again, and whether any distribution ships the fix as a security update rather than waiting for the next point release. The deeper lesson — that security properties defined by absence need explicit tests, and per-CPU data structures are a recurring source of state-leak bugs — will, as always, be relearned the next time someone reworks a hot path for performance and forgets that the old code was doing more than one job.

Hacker News 508 pts 217 comments

Since Linux 6.9, LUKS suspend stopped wiping disk-encryption keys from memory

→ read on Hacker News
kokada · Hacker News

While it is certainly an interesting bug, I kinda feel that the title is click bait? Because this `cryptsetup luksSuspend` from what I understood is not really officially supported but an extension done in Debian, so if anything this regression only affected Debian? I am not sure if you can blame th

bitbasher · Hacker News

I don't see any other way? When you sleep (suspend to RAM), everything is stored in RAM and is encrypted but the master key is present in kernel memory (if I recall correctly).However, if you hibernate (suspend to disk) the entire contents of RAM (including the master key) is written/encry

CodesInChaos · Hacker News

I don't have to re-enter my boot password after Sleep, so obviously the encryption key is still in memory.

tombert · Hacker News

I don't think this bothers me.The only reason that I do the disk encryption is so that I don't have to worry about people going through my laptop to steal tax documents and/or credit card stuff when I sell the laptop. I of course also wipe the laptop too, but I figure that if the data

bbminner · Hacker News

I am far from a security expert, but from the number of "we missed a single line C check across files during refactoring" critical security bugs discovered on a regular basis these days, the whole premise of a "giant secure open source C codebase" seems questionable. It is not sp

// share this

// get daily digest

Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.