From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mbroz@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
 by mail.saout.de (Postfix) with ESMTP
 for <dm-crypt@saout.de>; Fri, 14 Jan 2011 09:53:40 +0100 (CET)
Received: from int-mx12.intmail.prod.int.phx2.redhat.com
 (int-mx12.intmail.prod.int.phx2.redhat.com [10.5.11.25])
 by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id p0E8rcpG004476
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
 for <dm-crypt@saout.de>; Fri, 14 Jan 2011 03:53:39 -0500
Received: from [10.36.4.234] (vpn1-4-234.ams2.redhat.com [10.36.4.234])
 by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id
 p0E8raDS025907
 for <dm-crypt@saout.de>; Fri, 14 Jan 2011 03:53:38 -0500
Message-ID: <4D300F10.4050600@redhat.com>
Date: Fri, 14 Jan 2011 09:53:36 +0100
From: Milan Broz <mbroz@redhat.com>
MIME-Version: 1.0
References: <375AD447-08EA-41C6-8366-C62CAE8CE5DF@nytimes.com>
 <20110113235601.GA10251@tansi.org>
In-Reply-To: <20110113235601.GA10251@tansi.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] keys in memory?
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On 01/14/2011 12:56 AM, Arno Wagner wrote:
>> When a system has been configured and it's using encrypted LUKS
>> partition(s), are they keys visible in memory? 
> 
> Not necessarily directly, but the cipher key-setup is.

just small addition to this:

To be exact for active dm-crypt device:

- there is plain copy of master key string in the internal struct
(dmsetup table --showkeys prints that)

- there is key inside crypto engine, it is usually
pre-processed key (in AES case it is the whole key schedule
tables, and this is easily detectable, even if it is partially
corrupted, see AES keyfinder which uses this trick
here http://citp.princeton.edu/memory/code/ )

- because now (2.6.38)  we have per-cpu crypto engine, key schedule
will be probably in all local cpu caches during ongoing encryption.

- there can be other important info which can help to key recovery,
like initialised ESSIV tfm etc

(These locations should be wiped after key wipe message which
luksSuspend uses btw.)

All tries to lock this in processor cache, obfuscate it
in memory etc will not help - it can just make the problem slightly
harder. (if there is not generic hw helping with that, though)

> On Linux, the memory image is accessible under /proc/kcore.

Not in all distributions have this enabled, IIRC RHEL5 has there
only ELF header, not the whole memory image available.
But if you are superuser, you can get memory image using simple kernel
module. Suspended VM stores it in file.
For the hypervisor is is even simpler.

Milan