Thank you for taking the time to clear this up Milan. Your responses were very helpful. Arie On Jan 14, 2011, at 3:53 AM, Milan Broz wrote: > On 01/14/2011 12:56 AM, Arno Wagner wrote: >>> When a system has been configured and it's using encrypted LUKS >>> partition(s), are they keys visible in memory? >> >> Not necessarily directly, but the cipher key-setup is. > > just small addition to this: > > To be exact for active dm-crypt device: > > - there is plain copy of master key string in the internal struct > (dmsetup table --showkeys prints that) > > - there is key inside crypto engine, it is usually > pre-processed key (in AES case it is the whole key schedule > tables, and this is easily detectable, even if it is partially > corrupted, see AES keyfinder which uses this trick > here http://citp.princeton.edu/memory/code/ ) > > - because now (2.6.38) we have per-cpu crypto engine, key schedule > will be probably in all local cpu caches during ongoing encryption. > > - there can be other important info which can help to key recovery, > like initialised ESSIV tfm etc > > (These locations should be wiped after key wipe message which > luksSuspend uses btw.) > > All tries to lock this in processor cache, obfuscate it > in memory etc will not help - it can just make the problem slightly > harder. (if there is not generic hw helping with that, though) > >> On Linux, the memory image is accessible under /proc/kcore. > > Not in all distributions have this enabled, IIRC RHEL5 has there > only ELF header, not the whole memory image available. > But if you are superuser, you can get memory image using simple kernel > module. Suspended VM stores it in file. > For the hypervisor is is even simpler. > > Milan > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
