dracut icon indicating copy to clipboard operation
dracut copied to clipboard

Published 20 hours ago verified publisher icon dracutdevs

Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks

Open adrelanos opened this issue 4 years ago • 3 comments

Is your feature request related to a problem? Please describe.

Defeat Cold Boot Attacks by wiping LUKS disk encryption during shutdown.

What is a Cold Boot Attacks? See:

  • https://www.youtube.com/watch?v=JDaicPIgn9U
  • https://en.wikipedia.org/wiki/Cold_boot_attack
  • https://blog.f-secure.com/cold-boot-attacks/
  • https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf

Describe the solution you'd like Run cryptsetup close at end of shutdown procedure.

Quote cryptsetup close (previously cryptsetup lukseClose) man page (bold added):

close Removes the existing mapping and wipes the key from kernel memory.

Maybe cryptsetup close could be done during dracut-shutdown?

This would not wipe all secrets from RAM to defeat a cold boot attack but at least remove one of the most important secrets, the root disk LUKS encryption key.

Describe alternatives you've considered

Linux kernel feature:

This issue can probably not be redirected at the Linux kernel. While a generic solution Wipe RAM to defeat Cold Boot Attacks (https://github.com/systemd/systemd/issues/17242) probably belongs into the kernel, this does not. For the kernel to be able to wipe the memory, encrypted LUKS devices need to be properly closed first. cryptsetup close does that.

systemd feature:

systemd does not wipe the LUKS disk encryption key for root disk from RAM during shutdown. And as I understand systemd developer @poettering Lennart Poettering, this isn't up to systemd either. It's up to the initrd / initramfs. (https://github.com/systemd/systemd/issues/17887)

Quote myself (https://github.com/systemd/systemd/issues/17887#issuecomment-750340608):

Avoiding all sidelines, keeping this simple, for my understanding and for the record and please correct me if I am wrong... Summary:

"cryptsetup close" of root device during shutdown is already implemented.

Quote systemd developer @poettering Lennart Poettering (https://github.com/systemd/systemd/issues/17887#issuecomment-751252894):

"cryptsetup close" of root device during shutdown is already implemented.

iff your initrd/distro of choice do so. For the root disk it doesn't matter what systemd does, it matters what the initrd/distro do. hence ping the maintainers of those.

adrelanos avatar Dec 29 '20 17:12 adrelanos

https://github.com/dracutdevs/dracut/pull/1858

adrelanos avatar Jun 29 '22 11:06 adrelanos

Is this only an issue if systemd-cryptsetup is not included in the initramfs ?

LaszloGombos avatar Mar 20 '24 18:03 LaszloGombos

No, this is also an issue with systemd-cryptsetup included.

DanWin avatar Apr 04 '24 08:04 DanWin