Linux 6.9以降、LUKS suspendがメモリから暗号鍵を削除しない不具合
Original: Since Linux 6.9, LUKS suspend stopped wiping disk-encryption keys from memory
Why This Matters
A silent kernel regression exposing disk-encryption keys in RAM affects physical security for all Linux LUKS users on kernel 6.9+.
Since Linux kernel version 6.9, the LUKS suspend feature stopped properly wiping disk-encryption keys from memory, leaving systems potentially vulnerable to cold-boot attacks during suspend states, as reported by researcher Ingo Blechschmidt.
Researcher Ingo Blechschmidt disclosed via Mastodon that since Linux kernel version 6.9, the LUKS suspend functionality no longer correctly wipes disk-encryption keys from system memory when a machine is suspended. LUKS (Linux Unified Key Setup) suspend is a security feature designed to remove encryption keys from RAM before a system enters a sleep state, protecting against cold-boot attacks where an attacker with physical access could extract memory contents to retrieve encryption keys. The regression, introduced in kernel 6.9, means this key-wiping step is silently skipped, leaving encryption keys resident in memory during suspend — undermining a critical physical security protection. Blechschmidt noted he spent several days investigating the issue before identifying the root cause. The finding affects users who rely on LUKS full-disk encryption with suspend-to-RAM on Linux systems running kernel 6.9 or later.