[dm-crypt] luksSuspend for plain dm-crypt

Milan Broz gmazyland at gmail.com
Tue Aug 29 15:17:25 CEST 2017


On 08/29/2017 02:42 PM, dm-crypt at stachelkaktus.net wrote:
> 
> That sounds interesting, but I'm not sure if it will help. I try to kill
> the erase the key before I suspend on ram so that cold boot attack don't
> work here. If its in the kernel keyring It should be still possible to
> find it in the memory. Or have I misread that keyring conzept?

Yes, you are correct.

For this key (volume key) it can be wiped after dm-crypt device
is activated, the reaon to use keyring is that the key is no longer included
in dm-ioctl and dm-crypt no longer need to keep the key in its internal structures.

Now during dm-crypt device lifetime (except luksSuspend) the key is in memory
in several places: dm-crypt struct and then in crypto API engine - usually multiple
times (per CPU, depends on crypto module implementation).

Dm-crypt wipe command should wipe all these keys.

Milan




More information about the dm-crypt mailing list