Deniability - Protecting against cold boot attacks, with RAM encryption (no hardware access!) #37

Open
opened 2024-09-17 21:05:50 +02:00 by nihilist · 2 comments
Owner

it's the continuation of #36

it's the continuation of https://git.nowhere.moe/nihilist/blog-contributions/issues/36
nihilist added this to the OPSEC Tutorials (paid contributions) project 2024-09-17 21:05:50 +02:00
nihilist added the
Complex
label 2024-09-23 10:42:18 +02:00
nihilist added
? Impossible Currently ?
and removed
Complex
labels 2024-09-23 15:20:00 +02:00
Author
Owner

the closest i found is https://www.cs1.tf.fau.de/research/system-security-group/ramcrypt/ but it seems to require hardware access + an outdated kernel version. NOT possible to do any hardware change when you are using a remote server

the closest i found is https://www.cs1.tf.fau.de/research/system-security-group/ramcrypt/ but it seems to require hardware access + an outdated kernel version. NOT possible to do any hardware change when you are using a remote server
Author
Owner

brainstormed something but not sure if this can solve the problem (feel free to correct me if it's stupid or not)
moving as much stuff out of RAM as possible into swap, and make that swap LUKS encrypted:

encrypt the swap https://www.tecmint.com/disk-encryption-in-linux/

Encryptin the Swap Space for Further Security

The passphrase you entered earlier to use the encrypted partition is stored in RAM memory while it’s open. If someone can get his hands on this key, he will be able to decrypt the data. This is especially easy to do in the case of a laptop, since while hibernating the contents of RAM are kept on the swap partition.

To avoid leaving a copy of your key accessible to a thief, encrypt the swap partition following these steps:

1 Create a partition to be used as swap with the appropriate size (/dev/sdd1 in our case) and encrypt it as explained earlier. Name it just “swap” for convenience.’

2.Set it as swap and activate it.

# mkswap /dev/mapper/swap
# swapon /dev/mapper/swap

3. Next, change the corresponding entry in /etc/fstab.

/dev/mapper/swap none        	swap	sw          	0   	0

4. Finally, edit /etc/crypttab and reboot.

swap               /dev/sdd1         /dev/urandom swap

Once the system has finished booting, you can verify the status of the swap space:

# cryptsetup status swap

https://linuxize.com/post/how-to-change-the-swappiness-value-in-linux/
and then forcefully make linux move everything into swap by increasing the swappiness to 100 (and also make sure that the swap is big enough to fit everything!)

brainstormed something but not sure if this can solve the problem (feel free to correct me if it's stupid or not) moving as much stuff out of RAM as possible into swap, and make that swap LUKS encrypted: encrypt the swap https://www.tecmint.com/disk-encryption-in-linux/ ``` Encryptin the Swap Space for Further Security The passphrase you entered earlier to use the encrypted partition is stored in RAM memory while it’s open. If someone can get his hands on this key, he will be able to decrypt the data. This is especially easy to do in the case of a laptop, since while hibernating the contents of RAM are kept on the swap partition. To avoid leaving a copy of your key accessible to a thief, encrypt the swap partition following these steps: 1 Create a partition to be used as swap with the appropriate size (/dev/sdd1 in our case) and encrypt it as explained earlier. Name it just “swap” for convenience.’ 2.Set it as swap and activate it. # mkswap /dev/mapper/swap # swapon /dev/mapper/swap 3. Next, change the corresponding entry in /etc/fstab. /dev/mapper/swap none swap sw 0 0 4. Finally, edit /etc/crypttab and reboot. swap /dev/sdd1 /dev/urandom swap Once the system has finished booting, you can verify the status of the swap space: # cryptsetup status swap ``` https://linuxize.com/post/how-to-change-the-swappiness-value-in-linux/ and then forcefully make linux move everything into swap by increasing the swappiness to 100 (and also make sure that the swap is big enough to fit everything!)
Sign in to join this conversation.
No Milestone
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: nihilist/blog-contributions#37
No description provided.