- Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks

- Confirm in console output if encrypted mounts (root disk) is unmounted. (Because that is a pre-condition for wiping the LUKS full disk encryption key from RAM.)

Thanks to @friedy10!

https://github.com/friedy10/dracut/tree/master/modules.d/40sdmem

https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596

debian/control

@@ -15,7 +15,8 @@ Rules-Requires-Root: no
 Package: security-misc
 Architecture: all
 Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin,
- apparmor-profile-dist, helper-scripts, libpam-modules-bin, ${misc:Depends}
+ apparmor-profile-dist, helper-scripts, libpam-modules-bin,
+ secure-delete, dmsetup, ${misc:Depends}
 Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest
 Description: Enhances Miscellaneous Security Settings
  https://github.com/Whonix/security-misc/blob/master/README.md

usr/lib/dracut/modules.d/40sdmem-security-misc/README.md

@@ -0,0 +1,4 @@
+### Make sure sdmem is part of the initramfs
+sudo apt-get install secure-delete 
+
+sudo dracut --include /usr/bin/sdmem /bin/sdmem --force

usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+check() {
+return 0
+}
+
+depends() {
+return 0
+}
+
+install() {
+inst_hook shutdown 40 "$moddir/wipe.sh"
+}
+
+installkernel() {
+return 0
+}
+

usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh

@@ -0,0 +1,5 @@
+echo "Checking for mounted disks..."
+dmsetup ls --target crypt
+echo "WIPE RAM!"
+/bin/sdmem -f
+echo "WIPE DONE!"