[dm-crypt] keys from RAM dumps, hibernation files

Heinz Diehl htd+ml at fritha.org
Fri Nov 14 08:06:45 CET 2014

On 13.11.2014, Lars Winterfeld wrote: 

> What they say about their method is only that it "acquires protection
> keys from RAM dumps, hibernation files". Now I wonder, how does this
> attack work exactly and how vulnerable is cryptsetup against it in a
> linux environment?

Whole disk encryption only protects your data when your computer is
off. Thus, there's no memory dump to catch. 
> Suppose THEY have the device in their hands.
> I guess the attack is easiest when I suspended to disk, because all
> information needed for decryption (of the mounted crypt volumes) is
> stored in plain on the disk?

Don't do that. Of course, it depends on the level of security you want
to have, and your threat model.
> When I suspend to RAM and they wake the device up again, they need to
> hack the login screen?

In general, when an adversary can get physical access to your running
machine, all bets are off. You can regard this machine as compromized.

More information about the dm-crypt mailing list