From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gmazyland@gmail.com>
Received: from mail.saout.de ([127.0.0.1])
 by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id hOdTVnCIsnnL for <dm-crypt@saout.de>;
 Mon, 11 Nov 2013 06:51:38 +0100 (CET)
Received: from mail-bk0-x22c.google.com (mail-bk0-x22c.google.com
 [IPv6:2a00:1450:4008:c01::22c])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (No client certificate requested)
 by mail.saout.de (Postfix) with ESMTPS
 for <dm-crypt@saout.de>; Mon, 11 Nov 2013 06:51:38 +0100 (CET)
Received: by mail-bk0-f44.google.com with SMTP id mx12so580099bkb.31
 for <dm-crypt@saout.de>; Sun, 10 Nov 2013 21:51:37 -0800 (PST)
Received: from [192.168.2.24] (56.157.broadband5.iol.cz. [88.100.157.56])
 by mx.google.com with ESMTPSA id w9sm13179232bkn.12.2013.11.10.21.51.34
 for <dm-crypt@saout.de>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Sun, 10 Nov 2013 21:51:36 -0800 (PST)
Message-ID: <5280705B.7010506@gmail.com>
Date: Mon, 11 Nov 2013 06:51:23 +0100
From: Milan Broz <gmazyland@gmail.com>
MIME-Version: 1.0
References: <BLU181-W35325A5B76FBC4138E7AC8C9FD0@phx.gbl>
 <20131109225126.GA8017@tansi.org>
 <BLU181-W48EB1D9D106089FAF9A702C9FC0@phx.gbl>
 <20131110162658.GB18656@tansi.org>
 <BLU181-W76117F145E9E68B99D5675C9FF0@phx.gbl>
 <20131111031313.GA24913@tansi.org>
In-Reply-To: <20131111031313.GA24913@tansi.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [dm-crypt] Forgot dm-crypt password;
 suggestions on steps to undertake
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt/>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
 <mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On 11.11.2013 4:13, Arno Wagner wrote:
> On Mon, Nov 11, 2013 at 03:25:30 CET, John Thoe wrote:
>> Hello Arno and Milan
>
>> Thanks very much for your replies. I was not successful in retrieving the
>> passphrase but it was a good learning experience.
>
>> A question about LUKS I have is that I travel a lot and sometimes have to
>> leave my laptop unattended and I put it to sleep or lock it.  Is it
>> possible for an attacker to retrieve the keys while the laptop is in that
>> state.  My question is that should I always shutdown the laptop to be safe
>> or is it fine to leave it locked or in sleep mode?  Can the keys be
>> recovered from memory?
>
> The keys can be recovered from memory. Also, an attacker could
> boot your machine and install malware or could install a physical
> key-logger. The usual consent is that if an attacker has
> repeated unnoticed physical access to a machine, no security
> measure will help. Even encryption (shut-down state) will really
> only help against an attacker that gets access only once and
> steals the machine.

This is obviously true. But if ignoring hw tampering, if you use hibernate
(to encrypted swap - should be default for distros with encrypted install)
it is safe - key is not in memory, RAM content is stored encrypted,
and you have to provide password on resume.

For suspend to RAM ("sleep") the key is still in memory so it can be quite
easily extracted.
(dmcrypt provides way how to temporarily wipe key from memory but distributions
do not use yet this because it requires quite complex handling)

Milan