Re: Announcing crypto suspend
From: Rafael J. Wysocki
Date: Mon Mar 20 2006 - 13:52:44 EST
On Monday 20 March 2006 19:35, Peter Wainwright wrote:
> On Mon, 2006-03-20 at 09:04 +0100, Pavel Machek wrote:
> > Hi!
> >
> > Thanks to Rafael's great work, we now have working encrypted suspend
> > and resume. You'll need recent -mm kernel, and code from
> > suspend.sf.net. Due to its use of RSA, you'll only need to enter
> > password during resume.
> >
> > [Code got some minimal review; if you are a crypto expert, and think
> > you can poke a hole within it, please try to do so.]
> > Pavel
> Thats pretty interesting - we really need a featureful suspend
> implementation
> in mainline. But there doesn't seem to be much documentation for it.
> suspend.sf.net takes me to the Suspend 2 site: www.suspend2.net (a
> virtual
> server?). Which code from this site is needed for the mainline suspend?
cvs -z3 -d:pserver:anonymous@xxxxxxxxxxxxxxxxxxx:/cvsroot/suspend co suspend
and please read the HOWTO. Unfortunately the RSA-related part hasn't been
documented yet, but it's pretty straightforward.
First, you need to generate the RSA key pair using suspend-keygen and save
the output file as /etc/suspend.key (or something else pointed to by
the "RSA key file =" configuration parameter of suspend). ÂThis file contains
the public modulus (n), public exponent (e) and Blowfish-encrypted private
exponent (d) of the RSA key pair.
Then, the suspend utility will load the contents of this file, Âgenerate a random
session key (k) and initialization vector (i) for the image encryption and use
(n, e) to encrypt these values with RSA. ÂThe encrypted k, i as well as the
contents of the RSA key file will be saved in the image header.
The resume utility will read n, e and (encrypted) d as well as (encrypted) k, i
from the image header. ÂThen it will ask the user for a passphrase and will
try to decrypt d using it. ÂNext, it will use (n, e, d) to decrypt k, i needed
for decrypting the image.
Greetings,
Rafael
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/