← Retour au blog
tech 2 July 2026

Linux 6.9: Major Change in LUKS Encryption Key Handling

Since Linux 6.9, LUKS no longer wipes encryption keys from memory upon suspension. Discover the impact of this change on security and performance.

Article inspired by the original source
Since Linux 6.9, LUKS suspend stopped wiping disk-encryption keys from memory ↗ mathstodon.xyz

Introduction

With the integration of Linux kernel version 6.9, a significant change has been introduced regarding the handling of LUKS encryption keys. Previously, when a system was suspended, LUKS would systematically wipe the encryption keys from memory to enhance security. However, this practice has been altered, raising critical questions about the security and performance of Linux systems. In this article, we will explore the implications of this change, its motivations, and its impact on end users.

What is LUKS?

LUKS (Linux Unified Key Setup) is a widely used disk encryption standard on Linux systems. It provides a secure way to protect sensitive data by encrypting entire disks. LUKS is favored for its flexibility and robustness, allowing effective key management and broad compatibility with various systems.

The Change with Linux 6.9

Prior to version 6.9, when the system entered suspension mode, LUKS would wipe the encryption keys from RAM to prevent unauthorized access in case of physical theft of the machine. With the 6.9 update, this functionality has been suspended for performance and reliability reasons.

Why this change?

Wiping the keys from memory during each suspension required a re-authentication and key reloading process, which increased the system's wake-up time and could cause stability issues. Developers decided it was more advantageous in some scenarios to keep the keys in memory to enhance user experience.

Impact on Security

The main risk of this change is the potential increase in attack surface. By keeping encryption keys in memory, the system becomes vulnerable to "cold boot" attacks, where an attacker with physical access could force a system reboot to try and extract the keys from memory.

Recommended Security Measures

To mitigate this risk, it is advised to employ additional security measures such as enabling a TPM (Trusted Platform Module) which can provide an extra layer of security by binding encryption keys to the hardware environment.

Performance and Reliability

On the flip side, keeping encryption keys in memory significantly improves system performance upon resuming activity. Users will notice faster wake-up times, which is crucial in high-availability work environments.

Conclusion

The Linux 6.9 update represents a trade-off between security and performance. For decision-makers and system administrators, it is essential to weigh these aspects based on the specific needs of their infrastructure. Ultimately, the goal is to ensure robust security while optimizing user experience.

Let's discuss your project in 15 minutes.

Linux LUKS encryption security performance
Deepthix newsletter · 100% AI · every Monday 8am

An AI agent reads tech for you.

Our AI agent scans ~200 sources per week and ships the best articles to your inbox Monday 8am. Free. One click to unsubscribe.

Visit the newsletter page →

Want to automate your operations?

Let's talk about your project in 15 minutes.

Book a call