Kicksecure ™

Download

Debian morph to Kicksecure (Hardware) Windows (VM) Linux (VM) Mac (VM) VirtualBox (VM) KVM (VM) Qubes (VM) USB ISO (coming soon) More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Contribute

Support

Free Plus Premium Contact

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Archived! Superseded by Dev/RAM Wipe!

Old RAM Wipe Development Notes[edit]

cryptsetup-suspend[edit]

• https://manpages.debian.org/cryptsetup-suspend
• https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=cryptsetup-suspend
• Its in Debian bookworm
• https://salsa.debian.org/mejo/cryptsetup-suspend/-/blob/suspend/debian/control

(Bold added.)

Package: cryptsetup-suspend [...] Description: disk encryption support - suspend mode integration Cryptsetup provides an interface for configuring encryption on block devices (such as /home or swap partitions), using the Linux kernel device mapper target dm-crypt. It features integrated Linux Unified Key Setup (LUKS) support. . This package provides suspend mode integration for cryptsetup. It takes care of removing LUKS master key from memory before system suspend. . Please note that the supsend mode integration is limited to LUKS devices and requires systemd.

• https://archive.fosdem.org/2020/schedule/event/dip_close_lid_encrypt/attachments/slides/3946/export/events/attachments/dip_close_lid_encrypt/slides/3946/cryptsetup_fosdem.pdf
• https://salsa.debian.org/cryptsetup-team/cryptsetup/-/blob/debian/experimental/debian/scripts/suspend/cryptsetup-suspend.c
• https://salsa.debian.org/cryptsetup-team/cryptsetup/-/blob/debian/experimental/debian/scripts/suspend/cryptsetup-suspend-wrapper
• https://packages.debian.org/experimental/amd64/cryptsetup-suspend/filelist

Potential cryptsetup-suspend Security Issue[edit]

Might not suspend and wipe cryptsetup key.

Not enough memory available. Please close some programs or add swap space to suspend successfully.

/lib/cryptsetup/scripts/suspend/cryptsetup-suspend-wrapper

        if [ $((MemAvailable+SwapFree)) -lt $((300*1024*1024)) ]; then
            log_error "Not enough memory available. Please close some programs or add swap space to suspend successfully."
            exit 1
        fi

cryptsetup[edit]

Quote cryptsetup luksSuspend, cryptsetup close (previously cryptsetup lukseClose) man page. (Bold added.)

luksSuspend suspends active device (all IO operations are frozen) and wipes encryption key from kernel.

close Removes the existing mapping <name> and wipes the key from kernel memory.

Does systemd run cryptsetup luksSuspend, cryptsetup close or cryptsetup lukseClose on the root device and thereby wipe the cryptsetup encryption key from kernel memory?

Quote https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html

When these services are run, they ensure that PID 1 is replaced by the /usr/lib/systemd/systemd-shutdown tool which is then responsible for the actual shutdown. Before shutting down, this binary will try to unmount all remaining file systems, disable all remaining swap devices, detach all remaining storage devices and kill all remaining processes.

• https://manpages.debian.org/systemd-shutdown
• https://github.com/systemd/systemd/blob/master/src/shutdown/shutdown.c
  • mentions need_dm_detach, dm_detach_all
    • https://github.com/systemd/systemd/blob/master/src/shutdown/umount.c#L815 implements dm_detach_all
      • https://lists.freedesktop.org/archives/systemd-devel/2012-June/005443.html might imply that dm_detach_all refers to dm-crypt

/lib/cryptsetup/cryptdisks-functions

# Removes all mappings in crypttab, except the ones holding the root
# file system or /usr
do_stop() {

systemd[edit]

• systemd feature request: cryptsetup luksSuspend (wipes encryption key from kernel) on suspend
• systemd feature request: Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks
• https://www.freedesktop.org/software/systemd/man/systemd-cryptsetup@.service.html
• https://www.freedesktop.org/software/systemd/man/crypttab.html
• https://systemd.io/INITRD_INTERFACE/
• https://systemd.io/ROOT_STORAGE_DAEMONS/

initramfs[edit]

• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778849

Inspiration[edit]

• https://github.com/vianney/arch-luks-suspend
• https://github.com/nailfarmer/debian-luks-suspend/
• https://waaaaargh.github.io/gnu&linux/2013/08/06/lukssuspend-with-encrypted-root-on-archlinux/

Forum Discussion[edit]

https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596

---

Unfinished: This wiki is a work in progress. Please do not report broken links until this notice is removed, use Search Engines First and contribute improving this wiki.

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

FREE  ·  PLUS  ·  PREMIUM Support

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012-2024 ENCRYPTED SUPPORT LP

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!