You are not logged in.
- Topics: Active | Unanswered
#1 2015-01-23 18:23:32
- SirCmpwn
- Member
- Registered: 2013-09-18
- Posts: 89
How to do an emergency shutdown with dm-crypt?
I was considering the best way to get an encrypted system from running to secure in the minimum time possible. My thought was to SIGKILL everything and unmount /, then close the cryptdevice and power off. However, I'm not sure how to proceed after umounting /. Is it possible to/how can I unmount root? Could I remount it with a minimal ramdisk that has the necessary tools to finish the job?
My concern is that I want to get the keys out of memory ASAP to mitigate a cold boot attack. Simply removing the power leaves them in RAM for a little while - closing the cryptdevice is better.
Offline
#2 2015-01-23 20:09:31
- zezadas
- Member
- Registered: 2013-04-11
- Posts: 35
Re: How to do an emergency shutdown with dm-crypt?
Have a look at this
https://github.com/zezadas/ramClean
Offline
#3 2015-01-23 21:32:06
- clfarron4
- Member
- From: London, UK
- Registered: 2013-06-28
- Posts: 2,163
- Website
Re: How to do an emergency shutdown with dm-crypt?
I'm with zezadas on this one.
====
If you don't mind doing a full re-install and a lot of hoop jumping to set it up:
[shameless-self-promotion] There are mechanisms such as TRESOR, which are designed to address this very concern, by storing the AES keys in the CPU debug registers. I just so happen to provide this in the linux-tresor package [/shameless-self-promotion]
However, you must remember these things if you choose to use such a thing:
1) It uses aes-cbc-essiv encryption. No XTS, XEX or anything like that. <= Added to my bucket list to see if this can be changed for 128 bit keys (we'd need 128 bit CPUs to get this going for any larger AES keysize).
2) On 32 bit systems, you're restricted to 128 bit keys (CPUs only have 4 debug registers, hence the 128 bit keys for 32 bit).
3) There is currently no current installation medium from which you can setup a TRESOR-encrypted installation right from the off (because you need a TRESOR-enabled kernel to set it up). For now, this means you need to set up a full install so you can boot into the TRESOR kernel to then setup a TRESOR-enabled installation. <= This has just been added to my bucket list of things to fix with TRESOR for ArchLinux.
4) As demonstrated by this article, the key generation for TRESOR and AES are slightly different.
5) TRESOR depends on having an AES-NI capable processor for x86_64.
6) I'll stop here.
Last edited by clfarron4 (2015-01-23 21:37:03)
Claire is fine.
Problems? I have dysgraphia, so clear and concise please.
My public GPG key for package signing
My x86_64 package repository
Offline