- Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks

- Confirm in console output if encrypted mounts (root disk) is unmounted. (Because that is a pre-condition for wiping the LUKS full disk encryption key from RAM.) Thanks to @friedy10! https://github.com/friedy10/dracut/tree/master/modules.d/40sdmem https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596
2025-05-02 11:26:08 -04:00 · 2022-06-29 09:32:55 -04:00 · 2022-06-29 09:32:55 -04:00 · 38cdf2722b
commit 38cdf2722b
parent adca1ebdf6
4 changed files with 30 additions and 1 deletions
--- a/usr/lib/dracut/modules.d/40sdmem-security-misc/README.md
+++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/README.md
@ -0,0 +1,4 @@
+### Make sure sdmem is part of the initramfs
+sudo apt-get install secure-delete 
+
+sudo dracut --include /usr/bin/sdmem /bin/sdmem --force
--- a/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh
+++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh
@ -0,0 +1,19 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+check() {
+return 0
+}
+
+depends() {
+return 0
+}
+
+install() {
+inst_hook shutdown 40 "$moddir/wipe.sh"
+}
+
+installkernel() {
+return 0
+}
+
--- a/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh
+++ b/usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh
@ -0,0 +1,5 @@
+echo "Checking for mounted disks..."
+dmsetup ls --target crypt
+echo "WIPE RAM!"
+/bin/sdmem -f
+echo "WIPE DONE!"