Warm Boot Attack Defense - RAM Wipe Design Documentation

ram-wipe wipes the RAM twice during poweroff/reboot.
- 1. RAM Wipe Pass 1/2: During Linux kernel poweroff/reboot sequences.
- 2. RAM Wipe Pass 2/2: It kexec's into a new kernel and performs a second RAM wipe pass for the purpose of overwriting the first kernel's memory and any other leftovers in RAM.
Design[edit]
cold-boot-attack-defense[edit]
Implemented by dracut module cold-boot-attack-defense
(by ram-wipe).
/usr/lib/dracut/modules.d/90crypt/cryptroot-ask.sh
runsneed_shutdown
.dracut-ng
dm-shutdown.sh
runscryptsetup close
to release the full disk encryption key during the shutdown process.- A dracut
cleanup
hook is declared in/usr/lib/dracut/modules.d/40cold-boot-attack-defense/module-setup.sh
(by ram-wipe):
inst_hook cleanup 80 "$moddir/wipe-ram-needshutdown.sh"
. Priority is80
. TODO - During boot, that dracut
cleanup
hook/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram-needshutdown.sh
(by ram-wipe) is calling dracut API function
need_shutdown
which results in file/run/initramfs/.need_shutdown
being created. - As a result, at shutdown time when
/lib/systemd/system/dracut-shutdown.service
(by dracut) runs,/usr/lib/dracut/dracut-initramfs-restore
(by dracut) will restore the initramfs and pivot into it. - During shutdown, dracut will run its usual cleanup tasks such as unmounting the root (main) drive.
- The
shutdown
module (by dracut) willsource
and execute other shutdown hooks set up by other dracut modules. - At the time of writing, there were no other dracut modules using the dracut shutdown hook known to the author of this website.
wipe-ram.sh
(by ram-wipe) is the dracut shutdown hook.
- An alternative description of the mechanism of dropping back to the initramfs during shutdown can be found under The initrd Interface of systemd
.
- At a very late stage during the shutdown process, when all disks have already been unmounted by dracut, the
wipe-ram.sh
dracut shutdown hook is executed. - The shutdown hook runs:
echo 3 > /proc/sys/vm/drop_caches
- To ensure any remaining disk cache is erased by Linux's memory poisoning. [1]
sdmem -l -l -v
: To wipe the RAM usingsdmem
.- The parameters
-l -l
result in a single pass of RAM wiping using zeros.- This is optimized for speed. Otherwise, RAM wiping could take several minutes. However, the longer the shutdown process is delayed, the more likely users are to disable this feature. Also, after wiping the RAM, it could be more important to shut down to aid decay of RAM contents rather than repeatedly wiping RAM for minutes before removing power.
- When run manually,
sdmem
with these command-line parameters will show "Wipe mode is insecure (one pass with 0x00)," but no evidence suggests this is actually insecure. The sdmem manpage refers to Peter Gutmann, but the Gutmann method is for hard drives, not RAM. No research indicating how many times RAM must be wiped to be unrecoverable has been found by the author of this website.
- The parameter
-v
is for verbose output, which provides only a progress indicator. - Any output (default or verbose) is only visible if a serial console is connected. This is because dracut by default hides output of the commands it runs. Redirecting the output of
sdmem
to/dev/kmsg
would result in hundreds or thousands of separate*
characters being written to the console, each on its own line, which would not be helpful. For a better progress meter of the RAM wipe process, a buffer mechanism might have to be implemented after user feedback.
- The parameters
dmsetup ls --target crypt
: To check if all encrypted disks are unmounted.- Only if all encrypted disks are unmounted will it be possible for the kernel to wipe the Full Disk Encryption (FDE) key from the kernel.
- Deletion of the FDE key is considered among the most crucial pieces of information to be wiped from RAM because if the FDE key can be recovered from RAM, then FDE can be compromised.
- Informs the user if all encrypted disks are unmounted in console output. Otherwise, it shows a warning.
Quote Tails' Memory erasure:
First, most memory is erased at the end of a normal shutdown/reboot sequence. This is implemented by the Linux kernel's freed memory poisoning feature
, more specifically:
- page_poison
- passing "P" to slub_debug
- zeroing heap memory at free time (init_on_free=1)
These kernel parameters are implemented in the security-misc file /etc/default/grub.d/40_kernel_hardening.cfg
.
The kernel parameter wiperam=skip
is available to disable RAM wiping at shutdown, which can be useful to speed up shutdown or in case any issues arise.
For potential limitations, the same limitations described under the "Limitations" chapter of Tails' Memory erasure apply.
ram-wipe-exit[edit]
dracut module ram-wipe-exit
:
- The other dracut module
cold-boot-attack-defense
is independent.- The first RAM wiping mechanism is useful regardless of this supplemental kexec-based RAM wipe, which might be more prone to bugs.
- The
cold-boot-attack-defense
module, in its main source code filewipe-ram.sh
, useskexec
to boot into a new kernel. - That new kernel is actually the same kernel image, but thanks to
kexec
, the old kernel stops and a new kernel runs. kexec
is used with the--reuse-cmdline
parameter for simplicity and to preserve already existing RAM wipe-related kernel parameters (the Linux kernel's freed memory poisoning feature mentioned above).- Additionally, the kernel parameter
wiperamexit=1
is appended by thecold-boot-attack-defense
module.
- The kernel parameter
wiperamexit=1
in theram-wipe-exit
module results in wiping the RAM and then rebooting or powering off. - It does not mount the root image.
- In other words,
ram-wipe-exit
runs at a very early boot stage before mounting the root image. This is done using the dracut hookpre-udev
(because that hook runs beforepre-mount
). - Therefore, the full disk encryption (FDE) password entry is not required.
- The RAM wipe is performed during the dracut initramfs stage, before the FDE password is requested or the root disk is mounted.
- The root image is not mounted at all when the kernel parameter
wiperamexit=1
is set.
- In other words,
- When the kernel parameter
wiperamexit=1
is set, after the RAM wipe at the early dracut initramfs stage, the system is rebooted or powered off, depending on thewiperamaction
setting, which was set by the previous kernel. - A
kexec
-based wipe cannot rely onsystemd
withBefore=unmount.target
because unmounting the root disk and usingcryptsetup luksClose
to wipe the FDE key from RAM is one of the most critical steps of RAM wipe. It would requireAfter=unmount.target
, but at that point, no disks remain mounted with the necessary tools. Hence, dropping back to initramfs at shutdown is the correct design. - Executes
reboot
,poweroff
, orhalt
as instructed by the previous kernel.
Differences of ram-wipe versus Tails Memory Erasure[edit]
Tails memory erasure:
- Based on Linux memory poisoning
- Requires
initramfs-tools
- Based on
systemd-shutdown
/lib/systemd/system-shutdown
- Requires Tails-specific hook scripts such as
/usr/local/lib/initramfs-restore
/
/usr/local/lib/udev-watchdog-wrapper
- ISO-specific / Live boot-specific / squashfs-specific
- Mixes the panic button / emergency shutdown / ISO removal trigger into the same scripts
- Blueprints:
ram-wipe:
- Based on Linux memory poisoning, execution of
sdmem
andkexec
- Requires
dracut
- More generic
- Should work on any Debian
- Should be relatively easy to port to any Linux distribution since it is implemented as a
dracut
module - Should work equally for persistent boot from hard drive, live boot from hard drive, or ISO live boot
- A panic button / panic shutdown / USB kill cord for your laptop
feature is not mixed with this feature. It should be implemented separately as a standalone feature.
Debugging[edit]
- A Kicksecure or Whonix VM using VirtualBox with a virtual serial console (<-- see this already existing, fully tested, and functional documentation on how to set that up), as this can display and persist
echo
messages even after the VM has already been powered off or rebooted. - A boot menu entry to run the dracut module
ram-wipe-exit
without needing to power off or reboot (similar to grub-live10_20_linux_live
). File:
/etc/grub.d/12_linux_wiperamexit
- In Kicksecure / Whonix, the package debug-misc
might be useful (
sudo apt update && sudo apt install debug-misc
) due to:- https://github.com/Kicksecure/debug-misc/blob/master/etc/default/grub.d/45_debug-misc.cfg
- https://github.com/Kicksecure/debug-misc/blob/master/etc/sysctl.d/40_debug-misc.conf
- https://github.com/Kicksecure/debug-misc/blob/master/etc/dracut.conf.d/40_debug-misc.conf
- (These files can be used standalone, manually installed, or "bulk" installed by installing the debug-misc package.)
- https://github.com/Kicksecure/debug-misc/blob/master/etc/default/grub.d/45_debug-misc.cfg
(This file would be shipped out commented by default. Only useful for development / debugging.)
#!/bin/sh ## Copyright (C) 2022 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org> ## See the file COPYING for copying conditions. ## Untested! set -e #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX wiperamexit=1 wiperamaction=reboot" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX wiperamexit=1 wiperamaction=poweroff" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX wiperamexit=1 wiperamaction=halt" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX wiperamexit=1 wiperamaction=debug" export GRUB_CMDLINE_LINUX if test -x /etc/grub.d/10_00_linux_dist ; then /etc/grub.d/10_00_linux_dist fi
sudo update-grub
Maybe useful during development:
grep -r pre-udev --color /usr/lib/dracut
A panic button / panic shutdown / USB kill cord for your laptop feature is not integrated with this feature. It should be implemented separately as a standalone feature.
Status of initramfs-tools Support[edit]
Support for initramfs-tools
is not planned by the authors of ram-wipe. No progress on initramfs-tools
support should be expected.
The problem with initramfs-tools
support is that, in contrast to dracut
, while initramfs-tools
supports initrd
(initial ramdisk), it does not support exitrd
(exit ramdisk).
dracut
supports both initrd
(initial ramdisk at boot time) as well as exitrd
(dropping back to the initial ramdisk at shutdown time). A feature request has been posted against the Debian initramfs-tools package: Support restoring initrd on shutdown and pivoting into it
.
Contributors wishing to add initramfs-tools
support to ram-wipe should first add exitrd
support to upstream, original initramfs-tools
.
As a starting point, Tails has implemented initramfs-restore
, which might be helpful to examine and use as inspiration when developing
exitrd
functionality for initramfs-tools
. The Tails initramfs-tools
exitrd
implementation would have to be made generic - meaning not specific to Tails (i.e., no code references to other Tails-specific code) - and made acceptable for the initramfs-tools
developers for inclusion into the upstream source code. However, using the Tails implementation as a starting point is not a strict requirement.
Once initramfs-tools
gains exitrd
support, it might then be straightforward to add initramfs-tools
support to ram-wipe.
Development TODO[edit]
- Security testing: similar to https://gitlab.tails.boum.org/tails/blueprints/-/wikis/more_efficient_memory_wipe/memtest86plus
- A number of ram-wipe known issues require fixing.
SecureBoot breaks kexec(Fixed.)
ram-wipe Testing inside a VM[edit]
1. Platform-specific notice.
- Kicksecure: No special notice.
- Qubes OS: ram-wipe is unavailable for Qubes OS. [2]
2. Install ram-wipe
.
ram-wipe
is not installed by default in VMs because it is usually not needed there, except for testing.
Install package(s) ram-wipe
following these instructions
1 Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: In Template.
2 Update the package lists and upgrade the system.
sudo apt update && sudo apt full-upgrade
3 Install the ram-wipe
package(s).
Using apt
command line --no-install-recommends
option is in most cases optional.
sudo apt install --no-install-recommends ram-wipe
4 Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template Modification.
5 Done.
The procedure of installing package(s) ram-wipe
is complete.
3. Reboot
sudo reboot
4. Set up a virtual serial console.
A virtual serial console helps to read all journal and kernel messages during early boot and shutdown.
Can be set up as per the serial console documentation. Only a read-only serial console was somewhat recently tested and should suffice. An interactive serial console might not be required.
5. Status.
Now a serial console should clearly show the output during boot and shutdown of ram-wipe.
6. Bug dracut should unmount the root encrypted disk `cryptsetup luksClose` during shutdown (fixed in dracut-ng, should be fixed in Debian trixie) will not be reproducible because Kicksecure VM images do not use full disk encryption. (The rationale for not using full disk encryption for VM images is documented on the Encrypted VM Images wiki page.)
As a workaround, install Debian bookworm using the Debian DVD (Debian Tips), then install Kicksecure as per the distribution morphing Debian into Kicksecure instructions. Then re-apply the instructions listed here.
ram-wipe Functionality Testing[edit]
TODO:
ram-dump-efi
- Minimalistic application to dump RAM from EFI, based on Dasharo
ram-remanence-tester
ram-wipe improvements[edit]
sdmem
is problematic: it is unmaintained upstream, and there has been at least one case where shutdown was blocked due to a "kernel locked up" error. Writing to RAM until it fills up andsdmem
gets OOM-killed is not a robust design. We should either replacesdmem
or drop it entirely. It seems feasible to drop it.- Review how Tails handles memory erasure: Tails memory erasure design
. They primarily rely on the kernel parameter
init_on_free=1
. - The second RAM wipe pass might be completely unnecessary. It can cause issues with graphics initialization during the second run due to buggy drivers. This makes reboot or shutdown slower and potentially glitchy.
- All we might need to do is:
- Set
init_on_free=1
(currently only set insecurity-misc
, but it should be set inram-wipe
to make it standalone). - Drop caches (already implemented).
- Properly unmount all encrypted disks (already done due to fixes in
dracut
in Debian Trixie). - Drop back to
initrd
(already implemented). - Re-test.
- Set
Task: Please consider the above, test it, implement necessary changes, and update the source code and wiki accordingly.
Forum Discussion[edit]
https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596
See Also[edit]
- RAM Wipe Archived Development Notes
- Cold Boot Attack Defense
ram-wipe
User Documentation- https://github.com/Kicksecure/ram-wipe
- https://github.com/memtest86plus/memtest86plus/discussions/266
Footnotes[edit]

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!