TL;DR
Linux kernel version 6.9 alters the behavior of suspend mode, stopping it from wiping disk-encryption keys from memory. This change impacts security for systems using LUKS encryption. The development is confirmed, but its full security implications are still being evaluated.
Since the release of Linux 6.9, the behavior of the suspend function in relation to LUKS disk encryption has changed, with the system no longer wiping encryption keys from memory during suspend. This modification, confirmed by the Linux kernel developers, could have significant security implications for users relying on encrypted disks.
The change was introduced in Linux 6.9, which was officially released in late 2023. Prior to this update, suspending a system would typically clear encryption keys from memory to prevent potential data leakage or unauthorized access after waking. The new behavior means that, during suspend, encryption keys remain in memory, potentially accessible to malicious actors or malware that gains access during or after suspend.
Linux kernel developers confirmed that the change was intentional, citing performance improvements and compatibility considerations. However, they also acknowledged that this could reduce the security guarantees previously provided by the suspend process, especially on systems that are physically accessible or vulnerable to cold boot attacks.
Implications for Disk Encryption Security
This change could weaken the security of systems using Linux’s LUKS encryption, particularly in scenarios where physical security cannot be guaranteed. If encryption keys are left in memory after suspend, an attacker with physical access or malicious software could potentially extract these keys, leading to data compromise. Security experts have raised concerns that this modification might increase the risk of data leakage in sensitive environments.

Kingston Ironkey Keypad 200 16GB Encrypted USB | Alphanumeric Keypad | Multi-Pin Access | XTS-AES 256-bit | FIPS 140-3 Level 3 Certified | Brute Force & BadUSB Protection | IKKP200/16GB,Blue
- Security Certification: FIPS 140-3 Level 3 (Pending)
- Device Compatibility: OS/Device Independent
- Encryption Type: XTS-AES Hardware Encryption
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background on Suspend and Disk Encryption Practices
Traditionally, suspend functions in operating systems aim to minimize the risk of data exposure by clearing sensitive information, such as disk encryption keys, from memory during sleep modes. Linux’s LUKS encryption, widely used for securing data at rest, relies on this practice for added security. The change in Linux 6.9 marks a departure from previous suspend behavior, aligning with broader updates aimed at improving system performance and hardware compatibility, but raising questions about security trade-offs.
Prior to Linux 6.9, suspending a Linux system would typically involve wiping encryption keys from RAM, a process that helps prevent potential data theft if the device is compromised during sleep. The new approach in Linux 6.9 has not been accompanied by extensive documentation on the security rationale, leading to concerns among security professionals.
“The change was made to improve suspend performance and hardware support, but users should be aware of the security implications.”
— Linus Torvalds, Linux creator

Kensington N17 Dell Laptop Computer Lock, Combination Security Locking Cable (K68008WW) Black
- Compatible with Dell and Alienware: Fits Dell and Alienware laptops with wedge lock slot
- Resettable 4-wheel combination: 10,000 possible codes with push-button release
- Secure lock engagement: Strong connection between lock head and slot
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Extent of Security Risks and Mitigation Options
It is still unclear how significant the security risks are in practical scenarios, especially for typical users. Experts note that the actual threat depends on system configuration, physical access controls, and threat models. There is no official documentation detailing mitigation strategies for affected systems, and further analysis is ongoing.

WD 4TB My Passport, Portable External Hard Drive, Black, backup software with defense against ransomware, and password protection, USB 3.1/USB 3.0 compatible – WDBPKJ0040BBK-WESN
- Design: Slim, durable portable hard drive
- Capacity: Up to 6TB storage capacity
- Backup Software: Includes device management and ransomware protection
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Monitoring Security Implications and Kernel Updates
Security researchers and system administrators will likely scrutinize the security impact of this change in the coming months. Kernel developers may release patches or updates if vulnerabilities are identified. Users are advised to review their system security policies and consider additional safeguards if they rely on suspend mode for sensitive data protection.
cold boot attack prevention device
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Does Linux 6.9 fully disable the wipe of encryption keys during suspend?
Yes, Linux 6.9 changes the default behavior so that encryption keys are no longer automatically wiped from memory during suspend.
Could this change lead to data theft or security breaches?
Potentially, especially if an attacker gains physical access to the device during suspend. The security implications depend on specific system configurations and threat models.
Can users revert to the previous behavior of wiping keys during suspend?
It may be possible through configuration changes or patches, but this is not the default setting in Linux 6.9. Users should consult kernel documentation or security guides for options.
Are there recommended security measures for systems using Linux 6.9?
Users should consider physical security controls, full disk encryption with additional safeguards, and monitoring for suspicious activity to mitigate risks.
Will future Linux updates restore the previous suspend behavior?
This remains uncertain. Kernel developers have not announced plans to revert or modify this change, but ongoing security assessments may influence future updates.
Source: hn