Re: [dm-crypt] RAM Flush on Shutdown?

DM-Crypt Archive on lore.kernel.org
 help / color / mirror / Atom feed

From: Milan Broz <gmazyland@gmail.com>
To: Saiga <semperbrassicaphagos@gmail.com>, dm-crypt@saout.de
Subject: Re: [dm-crypt] RAM Flush on Shutdown?
Date: Sat, 08 Feb 2014 18:05:05 +0100	[thread overview]
Message-ID: <52F663C1.3020609@gmail.com> (raw)
In-Reply-To: <1391817157.24979.1.camel@cardboardbox>

On 02/08/2014 12:52 AM, Saiga wrote:
> Does DM-Crypt/LUKS purge the RAM of the master key when the shutdown
> signal is given? If not how could I configure it to do so?

Not explicitly (no shutdown handler directly in dmcrypt) but init
system should dismout storage stack properly.
(Dmcrypt will wipe key on mapping removal. You can also force removal
of active device by "dmsetup remove -f <dev>" - this will replace active
dmcrypt mapping by remapping to error target thus removal of key
in memory as well.)

I think the only init system currently implementing this is systemd,
others just only remount read-only on shutdown which will not remove
dmcrypt key from memory. You need some ramdisk to do this properly...

The problem is obvious here - you have no idea which IO are in flight,
so force removal of key is equivalent to force device removal.

Another option is to explicitly call key wipe (which will put dmcrypt
device in suspend state). Not sure if anyone using this - but it was
designed for suspend to RAM.

Milan

     prev parent reply	other threads:[~2014-02-08 17:05 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-07 23:52 [dm-crypt] RAM Flush on Shutdown? Saiga
2014-02-08 17:05 ` Milan Broz [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=52F663C1.3020609@gmail.com \
    --to=gmazyland@gmail.com \
    --cc=dm-crypt@saout.de \
    --cc=semperbrassicaphagos@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox