[pkg-cryptsetup-devel] Bug#811456: Bug#811456: Unable to find seq in shutdown
Guilhem Moulin
guilhem at guilhem.org
Tue Jan 19 20:33:12 UTC 2016
Control: tag -1 pending
On Tue, 19 Jan 2016 at 13:34:10 +0100, Klaus Ethgen wrote:
> Am Di den 19. Jan 2016 um 12:02 schrieb Guilhem Moulin:
>> On Tue, 19 Jan 2016 at 08:08:42 +0100, Klaus Ethgen wrote:
> I did expand the seq in the script for short term fix.
> […]
> Well, exactly that is it. There should be a deterministic check if there
> are leftover crypt devices and close them.
I've also replaced it with an explicit list and an exponential waiting
time (1, 2, 4, 8, 16s).
> While open crypt devices are not great, they will at least not end with
> lost data. Not by themself. But I do not like the idea that they stay
> open with key material still in memory (search for cold boot attack).
Exactly. There is Tails' Memory erasure design [0], but it goes beyond
the scope of this bug. (And of course, is moot when the system is
brought down by loosing its power.) I should also add that while Cold
Boot Attacks are a reality with SDRAM and DDR2 [1], DDR3 seem to be
practically immune against them [2].
--
Guilhem.
[0] https://tails.boum.org/contribute/design/memory_erasure/
[1] http://static.usenix.org/event/sec08/tech/full_papers/halderman/halderman.pdf
[2] https://www1.cs.fau.de/filepool/projects/coldboot/fares_coldboot.pdf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20160119/4c301294/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list