Package: cryptsetup Severity: normal X-Debbugs-CC: whonix-de...@whonix.org Dear maintainer,
systemd does not wipe the LUKS disk encryption key for root disk from RAM during shutdown. Quote myself [0]: > Avoiding all sidelines, keeping this simple, for my understanding and for the record and please correct me if I am wrong... Summary: > > "cryptsetup close" of root device during shutdown is already implemented. Quote systemd developer Lennart Poettering [0]: > iff your initrd/distro of choice do so. For the root disk it doesn’t matter what systemd does, it matters what the initrd/distro do. hence ping the maintainers of those. The purpose of this is to defeat a cold boot attack. [1] [2] [3] [4] Debian package cryptsetup-suspend [5] wipes LUKS disk encryption key for root disk from RAM during during system suspend but not during system shutdown as far as I know. Please correct me if I am wrong, however it sounds to be as if wipe during shutdown might be substantially easier than wipe during suspend. Or perhaps "Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown" is already implemented in initramfs-tools or dracut? I reported this bug against Debian cryptsetup. However, I don't know, if this this is (partially) also a task for initramfs-tools or dracut. Please kindly move / re-assign this ticket as appropriate. Cheers, Patrick [0] https://github.com/systemd/systemd/issues/17887 [1] https://www.youtube.com/watch?v=JDaicPIgn9U [2] https://en.wikipedia.org/wiki/Cold_boot_attack [3] https://blog.f-secure.com/cold-boot-attacks/ [4] https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf [5] https://packages.debian.org/experimental/cryptsetup-suspend