#978642 Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks from Initial Ramdisk (initramfs-tools or dracut)

Package:
cryptsetup-initramfs
Source:
cryptsetup
Submitter:
Patrick Schleizer
Date:
2020-12-29 19:15:04 UTC
Severity:
wishlist
Tags:
Blocked By:
Bug Title
778849

  12

 Support restoring initrd on shutdown and pivoting into it

wishlist stable testing unstable about 1 year ago

#978642#5
Date:
2020-12-29 15:51:40 UTC
From:
To:
Dear maintainer,

systemd does not wipe the LUKS disk encryption key for root disk from
RAM during shutdown.

Quote myself [0]:
for the record and please correct me if I am wrong... Summary:


Quote systemd developer Lennart Poettering [0]:
matter what systemd does, it matters what the initrd/distro do. hence
ping the maintainers of those.


The purpose of this is to defeat a cold boot attack. [1] [2] [3] [4]

Debian package cryptsetup-suspend [5] wipes LUKS disk encryption key for
root disk from RAM during during system suspend but not during system
shutdown as far as I know. Please correct me if I am wrong, however it
sounds to be as if wipe during shutdown might be substantially easier
than wipe during suspend.

Or perhaps "Wipe LUKS Disk Encryption Key for Root Disk from RAM during
Shutdown" is already implemented in initramfs-tools or dracut?

I reported this bug against Debian cryptsetup. However, I don't know, if
this this is (partially) also a task for initramfs-tools or dracut.
Please kindly move / re-assign this ticket as appropriate.

Cheers,
Patrick

[0] https://github.com/systemd/systemd/issues/17887
[1] https://www.youtube.com/watch?v=JDaicPIgn9U
[2] https://en.wikipedia.org/wiki/Cold_boot_attack
[3] https://blog.f-secure.com/cold-boot-attacks/
[4]
https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf
[5] https://packages.debian.org/experimental/cryptsetup-suspend
#978642#10
Date:
2020-12-29 16:21:04 UTC
From:
To:
Control: severity -1 wishlist
Control: reassign -1 cryptsetup-initramfs
Control: block -1 by 778849

Hi,

AFAICT dracut has dracut-shutdown(8) which you can extend at will, or
convince the maintainer to ship the required logic for everyone.
However Debian's default initramfs, namely initramfs-tools(7) currently
has no interface to hook into at shutdown, and init doesn't even hand
execution over to the initramfs during the shutdown phase (#778849).
When such an interface is available we can ship shutdown scripts into
cryptsetup-initramfs.

cheers
#978642#21
Date:
2020-12-29 17:23:57 UTC
From:
To:
Great, so we have this feature request for cryptsetup-initramfs side.

Created a separate feature requests for Debian dracut side:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978644

Also reported against dracut upstream:

https://github.com/dracutdevs/dracut/issues/997

Cheers,
Patrick