RAM wipe after boot

hi there

i had an discussion with a friend and we talked about RAM wipe after boot to secure the encryption key in kali linux. he told me that it would be possible to do this by a cronjob or rc.local with the tool sdmem.

i thought that this could be a very cool feature for qubes if you could check this in preferences of dom0.
What do you think?
Is that possible to setup in dom0, too?
and could this feautre come in the future?

1 Like

Doesn’t Xen already do this?

I thought Xen would sanitize the memory before making it available to any domain.




this would be cool but i mean direct after login to dom0.

in kali linux for example you install sdmem and than run it with rc.local on boot so the encryption key will hopefully wiped

And how do you expect encryption to work without encryption key?

1 Like

i believe you don’t know what i mean. please check out sdmem

Maybe I don’t know what you mean. Provide some links to understand what you mean.
Sdmem is just a tool to wipe the RAM.
It doesn’t have a magical effect of providing a way to wipe the encryption key from the RAM and still allow for encryption software to somehow still use the key.

it is just an idea becuase i have heard about attacks to extract the key out of the ram even a pc is shut down.

In the example i have read the pc was cooled to hold the information in the ram. Normaly the key is load in the ram to decrypt the drive with the password at boot. After the pc is booted and the os is running this key isn’t necessery and not needed anymore in the ram. So this one can be overwritten.

1 Like

cryptsetup is wiping the key when it’s closing the decrypted drive. So if the system was shut down normally and not by hard reset / power off then the encryption key should be wiped from RAM when encrypted system drive is closed on shut down.

That’s not how decryption works. As long as you need to access the decrypted drive the decryption key must be accessible as well.

Seems like I was wrong. The cryptsetup close is not run on dracut shutdown right now:


[irrelevant comment retracted]

You can run Xen with the scrub-domheap option, if you want to force Xen to scrub the memory when a domain is shutdown, it’s better than trying to do it from inside the domain itself.

Even if you force Xen to scrub the memory, you run into the same issue that it only happens during a controlled shutdown, anyone doing a direct memory attack is just going to hard reset the system and negate any shutdown based protection.

If you are worried about this type of attack, you should use a system with memory encryption.

Sorry, this is the whole point. As a QubeOS user, I shouldn’t have to do anything to get this reasonable behavior/expectation of the OS erasing the the LUKS key from memory on normal shutdown.

which system has memory encryption

true so what can we do?

here you can see it RAM Wipe Development Notes

1 Like

The pro version of AMD CPUs has TSME, AMDs memory encryption technology, and the vPro Enterprise CPUs from Intel has TME, which is the Intel encryption tech.

I don’t think AMD sell pro CPUs to consumers, but many of the middle to high-end Intel consumer CPUs support TME

nice point but i don’t think would be the solution if you can perhaps implement a script to dom0 that root can choose this in preferences after boot or before shutdown. And this would be the way every qubes user would have profit of it