Essentially, when your computer is powered off, everything is stored on the hard drives locked up with AES-XTS encryption. This is known as “encrypted data at rest”.
In practice, this means that if I were to steal your hard drive/laptop, and read the blocks on your hard drive, it would look like this:
�J��
�m��95D@�)�X��)R��ao&#����ڒ,k�NзqQ�����cM�D��#DqM�~����쵆�P�Ь�Կ�F�1�����s�c(�Y�txy��OyO���z���t������]
q����}����$4�MUN�=-i7�3�>q'�ᴍH�EL�u���ˤ��t�a��Ap�,������U��N©���+���o�5T��jU�D�Ҍ�Ɵ�!�����fT�߭=͢�"�I��Z�51�+��v������V�;�o��Z�+
������Nr"vNp�Fu�����+S�Cyɹ5�A/���]p�4�Kd��A��I���Lc}y?��� ���� �E�R�/_�Ʋ����Ns�K�́�C�
F
S;xd;����!q�4�K��2���� ����k+\�+15�s�`�#7;���K֠�}�RTgs*�^���[ "Ydd���OH��!b$�;
Pure gibberish (without the decryption key)
When you boot your computer, you input your LUKS decryption passphrase, and it stores that in RAM.
Your CPU then uses that key stored in RAM to take blocks from your hard drive, decrypt them, store the unencrypted contents in RAM while you’re using them.
Then, when you’re done, your CPU uses that same key to encrypt the contents, before storing that block on your hard drive.
When you shut your computer down, the contents of your RAM, and your decryption key, disappear. Because, you know, the chips don’t have any power going through them…
In contrast, when you sleep/suspend your machine, you put it into a state where the RAM is still powered and retaining whatever you had in it. If a process can be paused without breaking anything, it is paused. However, everything mission-critical to the computer functioning is still running unaffected.
In some cases, depending on what you’ve configured your machine to do (BIOS, background daemons, etc.), your machine can also be listening for outside input (network packets, keystrokes, bluetooth packets, infrared signals, camera face detection, whatever!). In some cases, your computer may actually still respond to these inputs as if it were still running, even though it’s “sleeping”.
It’s quite trivial to get the decryption key from a RAM dump, if you know what you’re doing.
But it’s impossible to get a decryption key that isn’t there when your data is at rest
@zenyatta is right. It’s a lot more convenient to resume from sleep than it is to cold/warm boot.
@catacombs is also right in that most Windows users keep their machines perpetually powered on. (Actually, let’s be honest, most of us do that too ).
This might explain why Microsoft has reboots forced upon their machines periodically.
But there is definitely some merit in the practice in some cases.
Servers have this issue frequently when they update their software, but have to wait until their tasks are completed to actually be able to replace the running processes with the updated versions.
This is particularly important when you might have vulnerabilities in some of your software that’s currently running.
A cold boot is the most surefire way to ensure that all running processes are the ones stored on the hard drive (i.e. the ones you just updated).
Yes, kexec
will allow you to reboot the kernel without power cycling your machine in some circumstances, but I wouldn’t do that on Qubes OS, unless you’re prepared for things to break
So yeah, like everything here, it all depends on your own threat model