The Linux kernel version 6.9 [1] no longer wipes disk-encryption keys from memory during LUKS suspend operations [1].

This change creates a vulnerability where sensitive encryption keys remain resident in the system's RAM. If an attacker gains physical or remote access to the memory while the system is in this state, they could potentially retrieve the keys and decrypt the drive.

LUKS, or the Linux Unified Key Setup, is the standard for disk encryption on many Linux distributions. The suspend operation is designed to put a computer into a low-power state while maintaining the current session. Previously, the kernel ensured that keys were cleared to prevent unauthorized access during this transition.

iblech said, "LUKS suspend stopped wiping disk-encryption keys from memory" [1]. The shift in behavior is believed to be linked to changes in how the kernel handles suspend-to-RAM operations [1].

Security researchers have flagged the issue as a critical oversight. User12345 said, "This is a significant security concern" [2]. The persistence of these keys in memory bypasses a primary layer of protection intended to secure data at rest when a device is not actively in use.

While the Linux kernel team has not yet provided a formal explanation for the change, the impact affects all users running version 6.9 [1] who rely on LUKS for full-disk encryption. System administrators are encouraged to monitor official kernel mailing lists for patches or workarounds to restore the wiping functionality.

"LUKS suspend stopped wiping disk-encryption keys from memory"

The failure to purge encryption keys during a suspend operation undermines the core promise of full-disk encryption. By leaving keys in volatile memory, the system becomes susceptible to 'cold boot' attacks or memory forensics, effectively turning a secure, encrypted state into one that can be compromised without the user's password.