Results 1 to 8 of 8

Thread: "systemctl hibernate" vs. "pm-hibernate" and passwords

  1. #1
    Join Date
    Aug 2008
    Location
    Johannesburg, South Afric
    Beans
    85
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Question "systemctl hibernate" vs. "pm-hibernate" and passwords

    On my Lubuntu 18.04 install, hibernation worked right out of the box from the command line. (I am about to add the relevant options to the power menu.) However, during tests I noticed one odd thing.

    Code:
    sudo systemctl hibernate
    hibernates the system and, upon waking up, displays the message
    Code:
    resuming from /path/to/swapfile
    followed by the login (username/password) interface. So the system is basically secure on waking. (Yes, I am aware of the security risks involved with having a memdump stored in an unencrypted swapfile!)

    Code:
    sudo pm-hibernate
    also hibernates the system but, upon waking up, does not display the
    Code:
    resuming from /path/to/swapfile
    message and does not ask for a password; the system is fully accessible right away.

    Why is this? Is this normal behavior and, if so, what is the rationale behind it?

    // FvW

  2. #2
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    19,297
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: "systemctl hibernate" vs. "pm-hibernate" and passwords

    No 18.04 system here with any PM tools, but on 16.04 ...

    Code:
    $ which pm-hibernate
    /usr/sbin/pm-hibernate
    tf@istar:~$ file /usr/sbin/pm-hibernate
    /usr/sbin/pm-hibernate: symbolic link to ../lib/pm-utils/bin/pm-action
    tf@istar:~$ file /usr/lib/pm-utils/bin/pm-action   
    /usr/lib/pm-utils/bin/pm-action: POSIX shell script, ASCII text executable
    So, if your system is setup similarly, take a look inside /usr/lib/pm-utils/bin/pm-action to see what is really happening?

    Just a thought.

    I don't hibernate due to security considerations. I either use standby, if the machine isn't moving, or completely shutdown, if it will be moving. Also, I don't use a swap file. Always use a swap partition or swap LV. Just because something is a default, that doesn't mean it is a good idea.

  3. #3
    Join Date
    Sep 2014
    Location
    United States
    Beans
    167
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: "systemctl hibernate" vs. "pm-hibernate" and passwords

    This article provides a tutorial on creating passwords for encrypted swap.

    https://help.ubuntu.com/community/En...hEncryptedSwap

    I've also found this forum thread: https://ubuntuforums.org/showthread.php?t=2398264

    I believe this function is not native because it would be a burden to have to enter a password upon wake up. If you encrypt the LVM partition, the swap should already be encrypted. Therefore the encryption is encapsulated, which is quite typical in design. I don't think that means it encrypts upon hibernate. It will just appears like it's not encrypted while booted because while on, the system is unencrypted. I'd be curious if you or someone could provide information on the state of encryption in hibernation after following the steps above. I actually don't think it improves your security beyond having a second password on a non-encrypted system.

    As far as I understand, this is "unsafe," but I haven't provided the work to show you why that is the case.
    Last edited by EuclideanCoffee; 4 Weeks Ago at 02:59 PM.

  4. #4
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    19,297
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: "systemctl hibernate" vs. "pm-hibernate" and passwords

    Hibernation stores the frozen contents of RAM into the swap file. It leaves that storage unlocked, so any encrypted container using DM-crypt/LUKS will be unencrypted while the system is hibernated into the swap file/partition/logical volume.

    I use an encrypted LVM setup. The layout is: https://ubuntuforums.org/showthread....7#post13888987
    Everything except /boot/ and /boot/efi/ are contained within a LUKS container. If the machine is booted, that LUKS container is open/unlocked.

    Whether there is a password needed or not when coming out of standby is controlled by the screen saver "timeout" setting. The screensaver used it user-controlled. DEs often provide their own, which might be buggy. It is possible to disable that and use xscreensaver, which has always worked as expected for me. Pick your own poison.
    Last edited by TheFu; 4 Weeks Ago at 05:32 PM.

  5. #5
    Join Date
    Sep 2014
    Location
    United States
    Beans
    167
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: "systemctl hibernate" vs. "pm-hibernate" and passwords

    Right, I assumed that's the case.

    I believe LUKS2 has encrypted hibernation as a builtin feature. At least that's what I heard from Fedora last time I attended a webinar about such things.

  6. #6
    Join Date
    Aug 2008
    Location
    Johannesburg, South Afric
    Beans
    85
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: "systemctl hibernate" vs. "pm-hibernate" and passwords

    Quote Originally Posted by TheFu View Post
    So, if your system is setup similarly, take a look inside /usr/lib/pm-utils/bin/pm-action to see what is really happening?
    Thanks for pointing me into the right direction! Yes, pm-action is a script in which run_hooks sleep hibernate appears to be the active ingredient. In other words, a totally different thing from the approach followd by systemctl.

    Quote Originally Posted by TheFu View Post
    I don't hibernate due to security considerations. I either use standby, if the machine isn't moving, or completely shutdown, if it will be moving. Also, I don't use a swap file. Always use a swap partition or swap LV. Just because something is a default, that doesn't mean it is a good idea.
    Agreed. The particular machine I'm hibernating has no secure data on it whatsoever, so security is no big concern here, but I still prefer a login password. And yes, I've got a swap LV; I don't do swap files myself, either. I prefer properly organized partitions to keep system, swap and data separate.

    // FvW

  7. #7
    Join Date
    Aug 2008
    Location
    Johannesburg, South Afric
    Beans
    85
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: "systemctl hibernate" vs. "pm-hibernate" and passwords

    Quote Originally Posted by EuclideanCoffee View Post
    As far as I understand, this is "unsafe," but I haven't provided the work to show you why that is the case.
    In my OP I did note that I am aware of the security risks of storing a memdump into an unencrypted swap file. I wouldn't do that on a system with any security consideration but this particular laptop holds no security-sensitive stuff whatsoever. I still prefer a login password, though.

    // FvW

  8. #8
    Join Date
    Sep 2014
    Location
    United States
    Beans
    167
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: "systemctl hibernate" vs. "pm-hibernate" and passwords

    Quote Originally Posted by frankvw View Post
    I still prefer a login password, though.
    Did you find the links from the community wiki helpful? Your feedback would help others attempting the same process which is already documented. This may also be a chance to update or remove the tutorial if it's unhelpful. There's another method I posted from the forums too, from a community expert on disk encryption.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •