
Linux 6.9 stops wiping LUKS keys from memory on suspend
Linux kernel 6.9 stopped clearing LUKS disk‑encryption keys from RAM when a system suspends, exposing them to anyone with physical access to a suspended machine.
Since Linux 6.9, the kernel no longer clears LUKS disk‑encryption keys from RAM when a system is suspended [Mathstodon]. The change applies to any Linux installation that uses LUKS for full‑disk encryption and relies on suspend to save power.
What shipped
The 6.9 release modifies the suspend path so that the memory region holding the master key is left untouched. The kernel changelog does not call out the alteration, but the Mathstodon post by Ingo Blechschmid flags the security impact [Mathstodon].
Why it matters
Leaving the key in memory means a person with physical access to a suspended laptop can dump RAM and retrieve the encryption key, then decrypt the disk. The risk is highest on devices that suspend frequently, such as laptops and workstations used in shared environments. Engineers responsible for encrypted Linux systems must adjust their threat models and consider additional mitigations—e.g., using a TPM‑bound key, encrypting the RAM, or avoiding suspend on sensitive machines.
Mitigation steps
- Verify the kernel version and confirm the key‑retention behavior.
- Deploy a kernel patch that reenables key wiping, or upgrade to a later kernel where the issue is addressed.
- Consider alternative encryption setups that bind the key to hardware (TPM, Secure Boot) to prevent extraction from RAM.
The change underscores how a single kernel tweak can alter the security posture of encrypted deployments.
Subscribe to the broadcast.
Daily digest of the day's most important tech news. No fluff. Engineering signal only.
// delivered via substack · double-opt-in confirmation


