Actions

RAM Wipe Development Notes

From Whonix

< Dev




cryptsetup-suspend[edit]

(Bold added.)

Package: cryptsetup-suspend [...] Description: disk encryption support - suspend mode integration Cryptsetup provides an interface for configuring encryption on block devices (such as /home or swap partitions), using the Linux kernel device mapper target dm-crypt. It features integrated Linux Unified Key Setup (LUKS) support. . This package provides suspend mode integration for cryptsetup. It takes care of removing LUKS master key from memory before system suspend. . Please note that the supsend mode integration is limited to LUKS devices and requires systemd.

Potential cryptsetup-suspend Security Issue[edit]

Might not suspend and wipe cryptsetup key.

Not enough memory available. Please close some programs or add swap space to suspend successfully.

/lib/cryptsetup/scripts/suspend/cryptsetup-suspend-wrapper [archive]

        if [ $((MemAvailable+SwapFree)) -lt $((300*1024*1024)) ]; then
            log_error "Not enough memory available. Please close some programs or add swap space to suspend successfully."
            exit 1
        fi

cryptsetup[edit]

Quote cryptsetup luksSuspend, cryptsetup close (previously cryptsetup lukseClose) man page [archive]. (Bold added.)

luksSuspend suspends active device (all IO operations are frozen) and wipes encryption key from kernel.

close Removes the existing mapping <name> and wipes the key from kernel memory.

Does systemd run cryptsetup luksSuspend, cryptsetup close or cryptsetup lukseClose on the root device and thereby wipe the cryptsetup encryption key from kernel memory?

Quote https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html [archive]

When these services are run, they ensure that PID 1 is replaced by the /usr/lib/systemd/systemd-shutdown tool which is then responsible for the actual shutdown. Before shutting down, this binary will try to unmount all remaining file systems, disable all remaining swap devices, detach all remaining storage devices and kill all remaining processes.

/lib/cryptsetup/cryptdisks-functions

# Removes all mappings in crypttab, except the ones holding the root
# file system or /usr
do_stop() {

systemd[edit]

initramfs[edit]

Inspiration[edit]

Forum Discussion[edit]

https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596 [archive]

Footnotes[edit]




text=Jobs in USA
Jobs in USA


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Share: Twitter | Facebook

There are five different options for subscribing to Whonix ™ source code changes.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.