Linux security regression in LUKS suspend draws quiet alarm
Since Linux 6.9, LUKS suspend stopped wiping disk-encryption keys from memory, which means that on a suspended laptop, the encryption key is sitting in RAM exposed to a cold-boot or DMA attack. This is a regression from previous behavior where the key was deliberately zeroed on suspend. The bug has been present for over a year.
Commenters noted this isn't theoretical: a suspended laptop is exactly the scenario where physical security matters most. One comment cut to the point: 'Definitely not a symptom of Linux being a hodgepodge of code thrown together from a thousand different sources and no one person could tell you how it all fits.' That's harsh but it's a fair description of how a security-critical behavior got quietly broken across a kernel release boundary.
The thread didn't surface a clean fix or a patch status, which makes it more alarming, not less.
So what?
If your team uses Linux laptops with LUKS encryption for sensitive work and relies on suspend rather than full shutdown, check your kernel version. Versions 6.9 and later are affected. This is the kind of regression that doesn't show up in changelogs and gets discovered months after deployment. Full shutdown instead of suspend is the safe default until this is patched.