On Tue, Oct 28, 2014 at 10:15:22 CET, Cpp wrote: > Hey, > > I've got two questions abour dm-crypt/LUKS. > > - Does dm-crypt/LUKS employ any RAM anti-forensics? No. And not really needed anyways. This is for disk encryption, not for building a HSM (Hardware Security Module). Keys get wiped unmapping though. > In particular, > what is the danger of a master key being "burnt-in" into the RAM, if a > certain container is mounted for an extended period of time (a few > years)? Is the master key being periodically moved around in RAM (this > acts like a screen-saver or rather a RAM-saver) or does it reside at a > static location after the container is mounted? That is potentially a concern with SRAM. DRAM may or may not be subject to similar effects, but they are not as easy to detect or use. Basically, you will have to lower refresh-rates until bits fail and carefully monitor which ones will fail. Even that may not be conclusive at all, as cells are different. The thing with SRAM is that both transistors in the flip-flop are very similar, as they are very close together. An SRAM cell may tend to come up in the state it has held for a long time. A DRAM cell will always come up the same way, regardless of what value it held, namely with capacitor empty. AFAIK, the it is not even clear whether this still is an issue in modern SRAMs. The only references I found on googeling are describing this effect in the presence of a lot of ionizing radiation for SRAM and I did not find a single source for a similar effect for DRAM. Here is a current reference on that, the literature may give you more info: https://repositories.tdl.org/ttu-ir/bitstream/handle/2346/58641/NAIR-DISSERTATION-2013.pdf Note that the radiation doses this work looks at start at 100R and go up to 100kR. About 200R are reliably deadly for humans. There are also devices like the DS3640 that claim to prevent this, but it would not be the first time that a manufacturer advertises "preventing" things that are not there in the first place: http://www.maximintegrated.com/en/products/power/supervisors-voltage-monitors-sequencers/DS3640.html BTW, you do _not_ move the key around to fight this. That would not help. You complement all bits regularly instead. > - Is it possible to separate the LUKS header from the encrypted data? > Normally when a partition is luksFormat-ted it will generate a LUKS > header on that partition at the very beginning of space. But I was > wondering, if it's possible to have only the encrypted data on the > partition, and move the LUKS header somewhere else i.e. a file on a > USB stick? See man-page and FAQ items 5.19 and 6.2. In the case of FLASH disks, it is actually a good idea to do so. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: CB5D9718 FP: 12D6 C03B 1B30 33BB 13CF B774 E35C 5FA1 CB5D 9718 ---- A good decision is based on knowledge and not on numbers. -- Plato If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
