Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks #997

Open
adrelanos opened this issue Dec 29, 2020 · 3 comments · May be fixed by #2471
Open

Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks #997

adrelanos opened this issue Dec 29, 2020 · 3 comments · May be fixed by #2471
Labels
crypt Issues related to the crypt module enhancement Issue adding new functionality shutdown Issues related to the shutdown module

Comments

@adrelanos
Copy link

Is your feature request related to a problem? Please describe.

Defeat Cold Boot Attacks by wiping LUKS disk encryption during shutdown.

What is a Cold Boot Attacks? See:

Describe the solution you'd like
Run cryptsetup close at end of shutdown procedure.

Quote cryptsetup close (previously cryptsetup lukseClose) man page (bold added):

close
Removes the existing mapping and wipes the key from kernel memory.

Maybe cryptsetup close could be done during dracut-shutdown?

This would not wipe all secrets from RAM to defeat a cold boot attack but at least remove one of the most important secrets, the root disk LUKS encryption key.

Describe alternatives you've considered

Linux kernel feature:

This issue can probably not be redirected at the Linux kernel. While a generic solution Wipe RAM to defeat Cold Boot Attacks (systemd/systemd#17242) probably belongs into the kernel, this does not. For the kernel to be able to wipe the memory, encrypted LUKS devices need to be properly closed first. cryptsetup close does that.

systemd feature:

systemd does not wipe the LUKS disk encryption key for root disk from RAM during shutdown. And as I understand systemd developer @poettering Lennart Poettering, this isn't up to systemd either. It's up to the initrd / initramfs. (systemd/systemd#17887)

Quote myself (systemd/systemd#17887 (comment)):

Avoiding all sidelines, keeping this simple, for my understanding and for the record and please correct me if I am wrong... Summary:

"cryptsetup close" of root device during shutdown is already implemented.

Quote systemd developer @poettering Lennart Poettering (systemd/systemd#17887 (comment)):

"cryptsetup close" of root device during shutdown is already implemented.

iff your initrd/distro of choice do so. For the root disk it doesn't matter what systemd does, it matters what the initrd/distro do. hence ping the maintainers of those.
@adrelanos adrelanos added the enhancement Issue adding new functionality label Dec 29, 2020
@adrelanos adrelanos mentioned this issue Dec 29, 2020
Closed
@adrelanos adrelanos mentioned this issue Jun 29, 2022
Closed
3 tasks
@adrelanos
Copy link
Author

#1858

@adrelanos adrelanos mentioned this issue Aug 4, 2022
Open
@LaszloGombos LaszloGombos added crypt Issues related to the crypt module shutdown Issues related to the shutdown module labels Mar 7, 2023
@DanWin DanWin linked a pull request Aug 4, 2023 that will close this issue
Open
3 tasks
@LaszloGombos
Copy link
Collaborator

Is this only an issue if systemd-cryptsetup is not included in the initramfs ?

@DanWin
Copy link

DanWin commented Apr 4, 2024

No, this is also an issue with systemd-cryptsetup included.

@dracutng dracutng mentioned this issue Apr 4, 2024
Closed
3 tasks
@LaszloGombos LaszloGombos mentioned this issue Apr 19, 2024
Closed
@DanWin DanWin mentioned this issue May 6, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
crypt Issues related to the crypt module enhancement Issue adding new functionality shutdown Issues related to the shutdown module
Projects
None yet
Milestone
No milestone
3 participants
@LaszloGombos @adrelanos @DanWin