Actions

RAM Wipe Development Notes

From Whonix

< Dev




cryptsetup-suspend[edit]

(Bold added.)

Package: cryptsetup-suspend [...] Description: disk encryption support - suspend mode integration Cryptsetup provides an interface for configuring encryption on block devices (such as /home or swap partitions), using the Linux kernel device mapper target dm-crypt. It features integrated Linux Unified Key Setup (LUKS) support. . This package provides suspend mode integration for cryptsetup. It takes care of removing LUKS master key from memory before system suspend. . Please note that the supsend mode integration is limited to LUKS devices and requires systemd.

Potential cryptsetup-suspend Security Issue[edit]

Might not suspend and wipe cryptsetup key.

Not enough memory available. Please close some programs or add swap space to suspend successfully.

/lib/cryptsetup/scripts/suspend/cryptsetup-suspend-wrapper [archive]

        if [ $((MemAvailable+SwapFree)) -lt $((300*1024*1024)) ]; then
            log_error "Not enough memory available. Please close some programs or add swap space to suspend successfully."
            exit 1
        fi

cryptsetup[edit]

Quote cryptsetup luksSuspend, cryptsetup close (previously cryptsetup lukseClose) man page [archive]. (Bold added.)

luksSuspend suspends active device (all IO operations are frozen) and wipes encryption key from kernel.

close Removes the existing mapping <name> and wipes the key from kernel memory.

Does systemd run cryptsetup luksSuspend, cryptsetup close or cryptsetup lukseClose on the root device and thereby wipe the cryptsetup encryption key from kernel memory?

Quote https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html [archive]

When these services are run, they ensure that PID 1 is replaced by the /usr/lib/systemd/systemd-shutdown tool which is then responsible for the actual shutdown. Before shutting down, this binary will try to unmount all remaining file systems, disable all remaining swap devices, detach all remaining storage devices and kill all remaining processes.

/lib/cryptsetup/cryptdisks-functions

# Removes all mappings in crypttab, except the ones holding the root
# file system or /usr
do_stop() {

systemd[edit]

initramfs[edit]

Inspiration[edit]

Forum Discussion[edit]

https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596 [archive]

Footnotes[edit]




Fosshost is sponsors Kicksecure ™ stage server Whonix old logo.png
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Dev/RAM Wipe&body=https://www.whonix.org/wiki/Dev/RAM_Wipe link=https://reddit.com/submit?url=https://www.whonix.org/wiki/Dev/RAM_Wipe&title=Dev/RAM Wipe link=https://news.ycombinator.com/submitlink?u=https://www.whonix.org/wiki/Dev/RAM_Wipe&t=Dev/RAM Wipe link=https://mastodon.technology/share?message=Dev/RAM Wipe%20https://www.whonix.org/wiki/Dev/RAM_Wipe&t=Dev/RAM Wipe

Please help us to improve the Whonix ™ Wikipedia Page. Also see the feedback thread.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.