Re: [dm-crypt] Memory location of the encryption key

[Milan Broz <mbroz@redhat.com>]

On 02/14/2011 02:03 PM, Peter wrote:
> I've been reading Gutmann's paper on data remanence, which says that
> if some data is kept in the same memory location for very little time
> (1 second), the possibility for recovery of this data is very low,
> because the data had not yet had the time to change the relevant
> physical properties used in cold boot attacks. My question is, does
> dm-crypt change the memory location of encryption key every second?
> Does dm-crypt rewrite the memory location of the key when removing an
> active mapping? What other cold boot attack mitigation techniques the
> dm-crypt does?

Hi,

(I guess you are talking about - quite old - paper named
"Data remanence in semiconductor devices", right?
Then the mandatory reading is http://citp.princeton.edu/memory/ )

In short - dmcrypt doesn't rewrite key and change location every
few seconds and I hope it never will be doing such things.

The "hard" version of Cold Boot is using cooling chips to low
temperature (-50C and lower) the 1 second is no longer true
in this case.

Moreover, this attacks also include "platform reset" attack when
you simply reset device and store memory image, because the power
was still present, there is no memory loss (except few pages
for image tool).

The only possibility here is physical security of machine with
active key in memory.

Any obfuscation of key in memory will not help, only
it complicates attack a little bit.

Maybe you know the story of another full disk encryption system
where they are trying to do such crazy things (inverting key
in memory every few moments)?

When you attack such system using short power down with
following reboot and collecting memory image, you sometimes get
partially corrupted image (some bits already lost its state).
But because there was inverted key stored, it helps you
to _recover_ key instead of hide it.

I am not saying that it is all wrong... 
just this known thing applies here:
"If you let you machine out of your sight, it is no longer your machine."

You simply must provide physical security of machine while mapping
is active. (When deactivating mapping the key is wiped of course.)

What dm-crypt does instead is to provide controlled way how to freeze
dm-crypt device in safe state (no key in memory) without need
to completely shutdown system.

In userspace you can access this using luksSuspend and luksResume commands.
(device is simple suspended and all keys from memory are wiped so
that platform reset attack will not succeed here. It is not 100% solution
because there can be still some plaintext data in memory but no encryption
key).

Milan