Consider using cryptsetup-suspend to protect encrypted persistent data while the system is suspended
This would ensure the LUKS persistent volume is locked while the system is suspended:
https://blog.freesources.org//posts/2020/08/cryptsetup-suspend/
Caveats:
- Unlocking is done via a text TTY. Using plymouth instead would be a little bit nicer, but not much.
- Accessibility technologies, such as a screen reader, are not available for unlocking. So presumably we would need to disable
cryptsetup-suspend
when such features are enabled in the GNOME sessions. - IBus input methods are not available for unlocking. Are they available in the Welcome Screen, i.e. do actual users have passphrases that require such input methods?