Cold Boot Attack Defense - Archived RAM Wipe Development Notes

From Kicksecure
< Dev
Jump to navigation Jump to search

Archived! Superseded by Dev/RAM Wipe!

Old RAM Wipe Development Notes[edit]

cryptsetup-suspend[edit]

(Bold added.)

Package: cryptsetup-suspend [...] Description: disk encryption support - suspend mode integration Cryptsetup provides an interface for configuring encryption on block devices (such as /home or swap partitions), using the Linux kernel device mapper target dm-crypt. It features integrated Linux Unified Key Setup (LUKS) support. . This package provides suspend mode integration for cryptsetup. It takes care of removing LUKS master key from memory before system suspend. . Please note that the supsend mode integration is limited to LUKS devices and requires systemd.

Potential cryptsetup-suspend Security Issue[edit]

Might not suspend and wipe cryptsetup key.

Not enough memory available. Please close some programs or add swap space to suspend successfully.

/lib/cryptsetup/scripts/suspend/cryptsetup-suspend-wrapperarchive.org

        if [ $((MemAvailable+SwapFree)) -lt $((300*1024*1024)) ]; then
            log_error "Not enough memory available. Please close some programs or add swap space to suspend successfully."
            exit 1
        fi

cryptsetup[edit]

Quote cryptsetup luksSuspend, cryptsetup close (previously cryptsetup lukseClose) man pagearchive.org. (Bold added.)

luksSuspend suspends active device (all IO operations are frozen) and wipes encryption key from kernel.

close Removes the existing mapping <name> and wipes the key from kernel memory.

Does systemd run cryptsetup luksSuspend, cryptsetup close or cryptsetup lukseClose on the root device and thereby wipe the cryptsetup encryption key from kernel memory?

Quote https://www.freedesktop.org/software/systemd/man/systemd-halt.service.htmlarchive.org

When these services are run, they ensure that PID 1 is replaced by the /usr/lib/systemd/systemd-shutdown tool which is then responsible for the actual shutdown. Before shutting down, this binary will try to unmount all remaining file systems, disable all remaining swap devices, detach all remaining storage devices and kill all remaining processes.

/lib/cryptsetup/cryptdisks-functions

# Removes all mappings in crypttab, except the ones holding the root
# file system or /usr
do_stop() {

systemd[edit]

initramfs[edit]

Inspiration[edit]

Forum Discussion[edit]

https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596archive.org


We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!