Re: [gpm] gnome-keyring Lock keyring on suspend

Did some initial research. Richard Hughes announced this feature here: and

The feature is indeed off-by-default (, and for good usability reasons. BTW, lock-on-hibernate is on by default.

Richard suggested back then that this should be in the UI. I have another proposal: make this flag on-by-default, but have the logic (now at depend on this flag, as well as the combination of the power manager setting /apps/gnome-power-manager/lock/suspend and when applicable, the screen saver setting/apps/gnome-screensaver/lock_enabled.

In other words:

if (gpm-lock-keyring-on-suspend &&

    (gpm-use-screensaver-setting ? screensaver-lock-on-suspend : gpm-lock-on-suspend)) {



Rationale: if the user needs to enter a password on resume, you might as well clear the keyring on suspend. Otherwise, we don't want to annoy users by requiring a password during resume.

Motivation for lock-on-suspend: suspend, as opposed to hibernate, maintains power to RAM. This makes cold-boot attacks practical on stolen laptops ( Moreover, an attacker can physically probe the RAM to read everything off it. And I suppose this is trivial if you have a programmable DMA device.



On 07/19/2010 06:28 AM, Stef Walter wrote:
On 2010-07-18 12:24, Yaron Sheffer wrote:
it took me some time to find the Gnome configuration value
/apps/gnome-power-manager/lock/gnome_keyring_suspend. It was disabled on
my machine (Ubuntu Lucid). IMHO, it should be on-by-default because it
adds quite a bit of security for laptops, which tend to be
suspended/hibernating when they get stolen.

So: can it be turned on (or is it just Ubuntu)?
Yes, I think it should be turned on. I'd be really interested in why
it's not on by default. If you have time to research this that would be
a big help. This may be historical. The gnome-power-manager maintainers
may know.

Can I help to document this flag? Maybe start a "secure configuration FAQ"?
Sure, you can branch it off of here:

Thanks for your participation!



