[dm-crypt] DM-Crypt resistance against Cold Boot Attacks
corsac at debian.org
Thu May 19 10:01:50 CEST 2011
On jeu., 2011-05-19 at 09:05 +0200, Milan Broz wrote:
> On 05/18/2011 11:53 PM, Yves-Alexis Perez wrote:
> > If you read the paper, you'll noticed there's nothing to change to
> > dm-crypt, as the cypher is registered in the Crypto-API, it can be used
> > directly.
> TBH dmcrypt keeps its own copy of key (because key it is still part
> of the device-mapper mapping table so it must be available for
> status commands).
In that case it'll be the “dummy” key.
> So there are some changes needed but basically technicaly unrelated
> to that patch.
> (This will hopefully change with new mapping table format soon.)
Needed for what?
> Anyway, it must be accepted into kernel crypto layer first.
I'm not even sure it'll be submitted though.
> IMHO I think that without strong hw support these implementation
> will have some problems but it is good that someone works on such
> (E.g. how it works if it is not bare hw but virtualized system?)
For the AES-NI one, if the hypervisor supports it (they tested on KVM)
yes (though the vm registers are stored in the host ram anyway).
If you're interested, I found that the two papers were quite clear and
quick to read, so it might be a good idea to read them.
More information about the dm-crypt