I've used encrypted SSH keys for some time. To make this tolerable (and even convenient), I load the keys into ssh-agent. On my desktop, I make this more secure by automatically flushing the keys when I lock the screen (details here). To get a similar effect on my laptop, I want to flush the keys before it suspends (suspending the laptop is roughly the equivalent of locking the screen on a desktop; it's almost always what I do before I walk away from it). I also want to force-close any lingering SSH connection masters, because it's pretty likely that my network connection will be different when I un-suspend the laptop (and in any case, the server end will probably have timed out).

In the beginning I did this by hand with a shell script or two. I usually remembered to run it before I suspended (my custom Cinnamon environment made it not too hard), but not always, and it was kind of a pain in general. Then I found out that it's possible to hook into the modern suspend process to automate this.

The important magic is that there is a standard freedesktop DBus signal that is emitted when your modern DBus and systemd-enabled system is about to suspend or hibernate itself. The DBus details are covered in this unix.se answer (via), and I simply copied and modified the Python code from David Newgas' av program to make something I call presusp.py. My version does not have a start() action to do things after the laptop un-suspends, and its shutdown() action is simply to run my shell scripts that drop SSH keys and cleans up shared SSH sessions. If I used my Yubikey more on Cinnamon (which is possible), I'd also run my script to drop the Yubikey from ssh-agent (covered here).

Because presusp.py is directly tied to my login session, I just start it in a shell script I already have that does various things to set up my Cinnamon session. This also terminates it when I log out, although usually if I'm going to log out I just power down the laptop.

(Logging out and then back in again has been somewhat flaky under Cinnamon for me.)

PS: According to the logind DBus API there's also a signal emitted before screen locking, although it comes from your session instead of the overall manager. If I cared enough, I could presumably hack up my presusp.py to flush keys even on screen lock. Right now this is too complicated for me to bother with, since I rarely lock the screen on my laptop and step away from it.

Sidebar: Restoring keys to ssh-agent after an unsuspend

Unlike on my desktop, I don't try to automatically re-add my encrypted keys to ssh-agent when the laptop un-suspends. Instead I have my .ssh/config set up with 'AddKeysToAgent yes', so that the first time I ssh somewhere it automatically adds the keys to the agent after prompting me to unlock and use them. This is a bit less convenient than on my desktop but it works well enough under the circumstances. It helps that I don't try to do fancy things with remote X clients on the laptop; mostly what I do is SSH logins in terminals.