A Solution to the Cold Boot Attack
WARNING: DO NOT USE HARDWARE OR SOFTWARE SUSPEND WHILE THE LOOP.KO MODULE IS LOADED OR YOU WILL TOTALLY TRASH YOUR HARD DISK -- WE'RE TALKING EXTREME, IRREVERSIBLE DISK CORRUPTION -- UPON RESUME!
WARNING: DO NOT USE ON A SYSTEM CONFIGURED WITH SMP SUPPORT OR YOU WILL TRASH YOUR HARD DISK! PROBABLY NOT AS BAD AS IF YOU SUSPEND, BUT STILL PRETTY BAD!
AND THIS WILL CERTAINLY HAPPEN. IT'S NOT, LIKE, WELL, MAYBE IT WILL HAPPEN. IT WILL HAPPEN EVERY TIME. YOU ABSOLUTELY MUST NOT SUSPEND YOUR COMPUTER WHILE USING THIS. YOU ABSOLUTELY MUST USE A NON-SMP KERNEL WHILE USING THIS. AND IF YOU DON'T KNOW WHAT A NON-SMP KERNEL IS, YOU SHOULDN'T USE THIS. BECAUSE YOU'LL TRASH YOUR HARD DISK IF YOU USE THIS ON A NORMAL LINUX SYSTEM. ALL OF YOUR FILES. GONE. FOR GOOD. AND YOU WON'T KNOW AT FIRST. MAYBE YOU CAN RECOVER SOME OF THE FILES USING A TOOL LIKE PHOTOREC BUT DON'T GO THERE JUST DON'T USE THIS UNLESS YOU'RE ABSOLUTELY REALLY DAMN SURE YOU KNOW HOW TO AVOID CORRUPTING YOUR HARD DISK. THIS IS PRE-ALPHA QUALITY SOFTWARE. DO NOT USE THIS UNLESS YOU KNOW WHAT YOU'RE DOING. AND EVEN IF YOU DO KNOW WHAT YOU'RE DOING, DON'T SUSPEND YOUR COMPUTER, EVER, WHILE LOOP.KO IS LOADED. IF YOU DO ACCIDENTALLY, PULL THE PLUG ON THE LAPTOP AND TAKE OUT THE BATTERY RATHER THAN RESUMING BECAUSE ONCE YOU RESUME, YOUR FILES ARE DEAD. IF YOU DO RESUME, WELL, AGAIN, IMMEDIATELY TURN OFF THE COMPUTER TO AVOID FURTHER DAMAGE. IF YOU USE WITH AN SMP KERNEL, YOU'LL CORRUPT YOUR FILES MORE SLOWLY SO YOU WON'T KNOW AT FIRST. DON'T USE THIS WITH AN SMP KERNEL. IF YOU DON'T KNOW HOW TO DO THESE TWO THINGS -- NOT SUSPEND AND ONLY USE WITH A KERNEL YOU HAVE COMPILED WITHOUT SMP SUPPORT, DO NOT USE THIS SOFTWARE. THIS SOFTWARE CAN DESTROY YOUR DATA. ALL OF IT. FOREVER. DON'T USE THIS SOFTWARE UNLESS YOU UNDERSTAND THIS ENTIRE WARNING AND KNOW HOW TO MAKE SURE YOUR DATA DOESN'T GET DESTROYED.
This is what you do to use it (works with AES128 on 64-bit Linux only):
1. Get Loop-AES here.
2. Configure your kernel for Loop-AES. While you're at it, disable hardware performance monitoring (oprofile) and multiple CPUs (we don't support SMP systems unless compiled without SMP support ... yeah, I know, that needs to be fixed, and it can and will be).
3. Copy aes-amnesia.S to aes-amd64.S.
4. Make sure you've configured Loop-AES to use its AMD64 assembly language implementation of AES, which we just copied over. Note that things like Via PadLock and AES-NI are not supported currently; configure them out.
5. Compile Loop-AES as normal.
6. Some tests will fail because Loop-Amnesia doesn't support AES-192 or AES-256 yet.
7. Set up an encrypted volume with Loop-AES using AES128. You're now immune to cold boot!
DO NOT SUSPEND YOUR SYSTEM WHILE LOOP-AMNESIA IS IN USE OR YOU WILL ABSOLUTELY FOR SURE CORRUPT YOUR HARD DISK. In fact, you can do this to make sure it's working:
1. Unmount every encrypted volume except for a small loopback volume WHOSE CONTENTS YOU DON'T CARE ABOUT.
2. Software or hardware suspend the disk.
3. Resume and unmount your test volume DO THIS AND YOU WILL NEVER SEE THE DATA IN THE TEST VOLUME AGAIN IF YOU ARE USING LOOP-AMNESIA.
4. Use "losetup -d" on the loop device you used for the test volume.
5. Unload and reload loop.ko. IF LOOP.KO WON'T UNLOAD, YOU SHOULD BE VERY VERY AFRAID THAT PERHAPS YOU HAVE ANOTHER PARTITION LOADED AND OH GOD YOU'RE GOING TO LOSE ALL YOUR DATA FOR SURE IF YOU UNMOUNT ANYTHING YOU CARE ABOUT SO DON'T DO THAT AND DON'T TYPE "sync". JUST PULL THE PLUG IF YOU MESSED UP AND HAVE ANYTHING OTHER THAN A DUMMY TEST PARTITION MOUNTED. IF YOU'RE LUCKY, MAYBE YOUR DATA WILL STILL BE THERE WHEN YOU TURN THE COMPUTER BACK ON.
6. Verify that the loopback volume's filesystem is corrupted. If it's not, you've done something wrong and are using a non-cold-boot-immune Loop-AES implementation, not Loop-Amnesia!
Best of luck, and comment on this blog post if you have problems! Also comment if you want SMP support; I'd get to adding it faster if I know people are wanting to use it :)
UPDATE: The people who did AESSE (mentioned in my paper) have continued to work on the cold boot problem and have also released code. If you have a computer with AES-NI support, or a 32-bit CPU, you may want to have a look at TRESOR. TRESOR is a project similar to Loop-Amnesia but uses dm-crypt as its base rather than Loop-AES. TRESOR can also make use of the AES-NI registers to provide better performance than Loop-Amnesia on computers that have them (I will add AES-NI support to Loop-Amnesia if there is demand, however), and, unlike Loop-Amnesia, TRESOR also supports 32-bit versions of Linux (which Loop-Amnesia will never do). Unlike Loop-Amnesia, however, TRESOR does not support mounting multiple encrypted partitions. This means, for instance, that if you want cold-boot-immune data and swap partitions, you'll have to use Loop-Amnesia, not TRESOR.
Author of Loop-Amnesia,