Suspend encryption
~~~~~~~~~~~~~~~~~~

Encryption in suspend-utils uses RSA internally; the reason is that we
want to only prompt for passphrase on resume. So, during suspend, the
image is effectively encrypted with a public key, and during resume,
the user has to first decrypt the corresponding private key using a
passphrase, which then is used to decrypt the image.

The image is always encrypted with symmetric algo. If RSA is used
(optional) then the key for the symmetric encryption is random and the
PK is used to safely store the key in the header of the image; the
random key is encrypted with RSA and stored in the header, RSA private
key is (encrypted using the password at installation time) is also
stored in the header.  At resume the password is used to unlock the
private key which is then used to decrypt the random key.  IOW we
don't use RSA to encrypt the whole image ;)