[pkg-cryptsetup-devel] Bug#978642: Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks from Initial Ramdisk (initramfs-tools or dracut)

[Patrick Schleizer]

Package: cryptsetup
Severity: normal
X-Debbugs-CC: whonix-devel at whonix.org

Dear maintainer,

systemd does not wipe the LUKS disk encryption key for root disk from
RAM during shutdown.

Quote myself [0]:

> Avoiding all sidelines, keeping this simple, for my understanding and
for the record and please correct me if I am wrong... Summary:
>
> "cryptsetup close" of root device during shutdown is already implemented.


Quote systemd developer Lennart Poettering [0]:

> iff your initrd/distro of choice do so. For the root disk it doesn’t
matter what systemd does, it matters what the initrd/distro do. hence
ping the maintainers of those.


The purpose of this is to defeat a cold boot attack. [1] [2] [3] [4]

Debian package cryptsetup-suspend [5] wipes LUKS disk encryption key for
root disk from RAM during during system suspend but not during system
shutdown as far as I know. Please correct me if I am wrong, however it
sounds to be as if wipe during shutdown might be substantially easier
than wipe during suspend.

Or perhaps "Wipe LUKS Disk Encryption Key for Root Disk from RAM during
Shutdown" is already implemented in initramfs-tools or dracut?

I reported this bug against Debian cryptsetup. However, I don't know, if
this this is (partially) also a task for initramfs-tools or dracut.
Please kindly move / re-assign this ticket as appropriate.

Cheers,
Patrick

[0] https://github.com/systemd/systemd/issues/17887
[1] https://www.youtube.com/watch?v=JDaicPIgn9U
[2] https://en.wikipedia.org/wiki/Cold_boot_attack
[3] https://blog.f-secure.com/cold-boot-attacks/
[4]
https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf
[5] https://packages.debian.org/experimental/cryptsetup-suspend