Wipe RAM to prevent Cold Boot Attack
by lisamint from LinuxQuestions.org on (#4VX11)
Hi Everyone,
What's the best way to protect your encrypted keys from a cold boot attack (CBA)?
As many of you, I use Keepass and Veracrypt, which handle encrypted keys that are stored in the RAM. To prevent a CBA, there seems to be software-based (e.g., encrypting RAM - BitArmor; storing keys outside RAM - Tresor) and hardware-based solutions (e.g., dedicated CPUs storing keys automatically)
After having read a few articles and searched on forums, I found that a 'good' potential solution would be to wipe the RAM before shutdown (either manually trough commands in Terminal or through a script to be run automatically): e.g., https://www.tecmint.com/clear-ram-me...pace-on-linux/ (specifically, # echo 3 > /proc/sys/vm/drop_caches), although that may also have some implications for the kernel. Also, Secure-Delete can be installed from Software Manager.
That way, anyone who tried to execute a CBA would obtain nothing from the contents of the RAM. Would that be a 'good' option?
There are also three details that confuse me:
1. My system is protected with full-disk encryption (i.e., everything except /boot is encrypted using dmcrypt/luks). Would wiping the RAM option be still a 'good' idea and would not affect the normal booting process when asking me for a password to decrypt the full-disk?
2. Keepass clears the clipboard within 12 seconds by default after coping a password, whereas Veracrypt wipes password cache by default (Preferences/Security tag) when exits. Would I still need to wipe the RAM?
3. Apparently, CBA can only be effective on DRAM2, but not on DRAM3. Is this correct?
Thanks.
What's the best way to protect your encrypted keys from a cold boot attack (CBA)?
As many of you, I use Keepass and Veracrypt, which handle encrypted keys that are stored in the RAM. To prevent a CBA, there seems to be software-based (e.g., encrypting RAM - BitArmor; storing keys outside RAM - Tresor) and hardware-based solutions (e.g., dedicated CPUs storing keys automatically)
After having read a few articles and searched on forums, I found that a 'good' potential solution would be to wipe the RAM before shutdown (either manually trough commands in Terminal or through a script to be run automatically): e.g., https://www.tecmint.com/clear-ram-me...pace-on-linux/ (specifically, # echo 3 > /proc/sys/vm/drop_caches), although that may also have some implications for the kernel. Also, Secure-Delete can be installed from Software Manager.
That way, anyone who tried to execute a CBA would obtain nothing from the contents of the RAM. Would that be a 'good' option?
There are also three details that confuse me:
1. My system is protected with full-disk encryption (i.e., everything except /boot is encrypted using dmcrypt/luks). Would wiping the RAM option be still a 'good' idea and would not affect the normal booting process when asking me for a password to decrypt the full-disk?
2. Keepass clears the clipboard within 12 seconds by default after coping a password, whereas Veracrypt wipes password cache by default (Preferences/Security tag) when exits. Would I still need to wipe the RAM?
3. Apparently, CBA can only be effective on DRAM2, but not on DRAM3. Is this correct?
Thanks.