Are the keys of mounted encrypted disks secured during reboot?

Are the keys of mounted encrypted disks secured during reboot?

[John Smith]

During the course of proper shutdown/reboot/suspend-to-disk, does the
kernel securely erase (or at least free memory of - as it pertains to
init_on_free=1) encryption keys of all dmcrypt/luks systems which
remained mounted?

Re: Are the keys of mounted encrypted disks secured during reboot?

[Milan Broz]

On 12/26/22 20:13, John Smith wrote:
> During the course of proper shutdown/reboot/suspend-to-disk, does the
> kernel securely erase (or at least free memory of - as it pertains to
> init_on_free=1) encryption keys of all dmcrypt/luks systems which
> remained mounted?

If the device is properly deactivated, then keys are always wiped.

(Actually, with LUKS2, dm-crypt no longer keeps own copy of the key, it
is stored in kernel keyring only for activation and then, obviously, in kernel
crypto where is is directly used for encryption. So if it is not
deactivated, it is responsibility of these subsystems to wipe it on reboot.)

For suspend to ram, it is more complicated - there is a way how to wipe key
and freeze device temporarily (see luksSuspend), but I do no think many systems
actually use it. Debian has cryptsetup-suspend that can do this AFAIK.

For suspend to disk, the memory should be written to encrypted device.
(And RAM contents disappears after some short time with no power anyway.)

Milan

Re: Are the keys of mounted encrypted disks secured during reboot?

[John Smith]

I'm asking about when a regular shutdown/reboot/suspend-to-disk is
issued. In most cases the rootfs volume is not unmounted because that
would require a pivot_root to a special initrd/ramdisk-rootfs just for
powering off.
So that would mean the device isn't deactivated via cryptsetup -
because that would fail.
In that case, when the kernel is preparing to reboot/poweroff, will it
wipe the keys or just leave them there vulnerable to cold boot or
forensics?

On Mon, Dec 26, 2022 at 7:42 PM Milan Broz <gmazyland@gmail.com> wrote:
>
> On 12/26/22 20:13, John Smith wrote:
> > During the course of proper shutdown/reboot/suspend-to-disk, does the
> > kernel securely erase (or at least free memory of - as it pertains to
> > init_on_free=1) encryption keys of all dmcrypt/luks systems which
> > remained mounted?
>
> If the device is properly deactivated, then keys are always wiped.
>
> (Actually, with LUKS2, dm-crypt no longer keeps own copy of the key, it
> is stored in kernel keyring only for activation and then, obviously, in kernel
> crypto where is is directly used for encryption. So if it is not
> deactivated, it is responsibility of these subsystems to wipe it on reboot.)
>
> For suspend to ram, it is more complicated - there is a way how to wipe key
> and freeze device temporarily (see luksSuspend), but I do no think many systems
> actually use it. Debian has cryptsetup-suspend that can do this AFAIK.
>
> For suspend to disk, the memory should be written to encrypted device.
> (And RAM contents disappears after some short time with no power anyway.)
>
> Milan

Re: Are the keys of mounted encrypted disks secured during reboot?

[Milan Broz]

On 12/26/22 21:10, John Smith wrote:
> I'm asking about when a regular shutdown/reboot/suspend-to-disk is
> issued. In most cases the rootfs volume is not unmounted because that
> would require a pivot_root to a special initrd/ramdisk-rootfs just for
> powering off.
> So that would mean the device isn't deactivated via cryptsetup -
> because that would fail.

Cryptsetup (libcryptsetup) is just library that performs the job,
it does not run itself any actions.
Once it is called, keys should be wiped.

The deactivation/reboot/suspend is handled by init scripts, usually systemd
units these days - so check there. It really depends on system configuration.

However, last time we played with memory scan for keys after reboot,
cold boot is no longer such a problem as memory is wiped during reboot
on modern hw (but virtual machines images is a different problem).

m.

> In that case, when the kernel is preparing to reboot/poweroff, will it
> wipe the keys or just leave them there vulnerable to cold boot or
> forensics?
> 
> On Mon, Dec 26, 2022 at 7:42 PM Milan Broz <gmazyland@gmail.com> wrote:
>>
>> On 12/26/22 20:13, John Smith wrote:
>>> During the course of proper shutdown/reboot/suspend-to-disk, does the
>>> kernel securely erase (or at least free memory of - as it pertains to
>>> init_on_free=1) encryption keys of all dmcrypt/luks systems which
>>> remained mounted?
>>
>> If the device is properly deactivated, then keys are always wiped.
>>
>> (Actually, with LUKS2, dm-crypt no longer keeps own copy of the key, it
>> is stored in kernel keyring only for activation and then, obviously, in kernel
>> crypto where is is directly used for encryption. So if it is not
>> deactivated, it is responsibility of these subsystems to wipe it on reboot.)
>>
>> For suspend to ram, it is more complicated - there is a way how to wipe key
>> and freeze device temporarily (see luksSuspend), but I do no think many systems
>> actually use it. Debian has cryptsetup-suspend that can do this AFAIK.
>>
>> For suspend to disk, the memory should be written to encrypted device.
>> (And RAM contents disappears after some short time with no power anyway.)
>>
>> Milan