On 01/14/2011 12:56 AM, Arno Wagner wrote: >> When a system has been configured and it's using encrypted LUKS >> partition(s), are they keys visible in memory? > > Not necessarily directly, but the cipher key-setup is. just small addition to this: To be exact for active dm-crypt device: - there is plain copy of master key string in the internal struct (dmsetup table --showkeys prints that) - there is key inside crypto engine, it is usually pre-processed key (in AES case it is the whole key schedule tables, and this is easily detectable, even if it is partially corrupted, see AES keyfinder which uses this trick here http://citp.princeton.edu/memory/code/ ) - because now (2.6.38) we have per-cpu crypto engine, key schedule will be probably in all local cpu caches during ongoing encryption. - there can be other important info which can help to key recovery, like initialised ESSIV tfm etc (These locations should be wiped after key wipe message which luksSuspend uses btw.) All tries to lock this in processor cache, obfuscate it in memory etc will not help - it can just make the problem slightly harder. (if there is not generic hw helping with that, though) > On Linux, the memory image is accessible under /proc/kcore. Not in all distributions have this enabled, IIRC RHEL5 has there only ELF header, not the whole memory image available. But if you are superuser, you can get memory image using simple kernel module. Suspended VM stores it in file. For the hypervisor is is even simpler. Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
