Linux Gets Experimental Support For In-Kernel Hibernation Encryption

Intel's Chen Yu has sent out a set of patches providing experimental support for in-kernel encryption support for hibernation.

In particular, this encryption support is about encrypting the hibernation image that is saved to the disk for the hibernation process. There are third-party ways to encrypt the hibernation image with an encrypted SWAP while this new code thanks to Intel is integrated within the kernel. Besides the kernel bits are also user-space code needed for generating the encryption key.

1. The user space reads the salt from kernel and generates a symmetrical (AES) key based on user passphrase. Then the kernel uses that key to encrypt the hibernation image.
2. The salt will be saved in image header and passed to the restore kernel.
3. During restore, the userspace reads the salt from the kernel and probe passphrase from the user to generate the same key and pass that key back to kernel.
4. The restore kernel uses that key to decrypt the image.

The proposed crypto_hibernate user-space component uses a 512-bit AES key. This "request for comments" code for encrypted hibernation support in the kernel can be found via the kernel mailing list.