Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Cold boot attack susceptibility when using LUKS?

Featured Replies

Assuming we use LUKS and encrypt a drive, 
 

according to this thread the decryption key is stored in RAM. Does this mean my server is susceptible to a cold boot attack? (https://en.wikipedia.org/wiki/Cold_boot_attack)

Please forgive me if it's a dumb question.

Edited by user0777
fix spacing

Solved by user0777

6 hours ago, user0777 said:

Does this mean my server is susceptible to a cold boot attack?

Not as I understand such attacks as the key would be lost when the reboot happens.   It has to be reloaded/entered every time the system boots as it is not persisted by Unraid across a reboot.

  • Author
1 hour ago, itimpi said:

Not as I understand such attacks as the key would be lost when the reboot happens.   It has to be reloaded/entered every time the system boots as it is not persisted by Unraid across a reboot.

Exactly so if you read material on cold boot attacks, stuff that’s in RAM does persist if you pull the power cord to a PC. You could then pull the LUKS key out of RAM. It does indeed seem susceptible

4 minutes ago, user0777 said:

Exactly so if you read material on cold boot attacks, stuff that’s in RAM does persist if you pull the power cord to a PC. You could then pull the LUKS key out of RAM. It does indeed seem susceptible

Looking at the description in more detail of what it takes to carry out such an attack I suspect that if you have someone with the capability to carry out this sort of attack having physical access to your server then you probably have much larger problems anyway!

yeah if u have physical access, just dont turn off the pc and you have it anyway... 

Edited by NewDisplayName

  • Author
10 minutes ago, NewDisplayName said:

yeah if u have physical access, just dont turn off the pc and you have it anyway... 

 

Isn’t the whole point of LUKS to protect against physical attacks?

  • Author
  • Solution

According to a thread on hacker news, the only mitigation for cold boot on unraid would be something involving RAM encryption (intel 13th gen and some AMD CPUs have this feature)

 

https://news.ycombinator.com/item?id=38219731

 

 

 

 

How would you do that? If you dont have the key, the server cant function.

 

edit:

ok where is the key stored to encrypt ram?

 

Edited by NewDisplayName

  • Author

I think you’ve misunderstood the meaning of Physical access maybe? Physical access means being in the same room as the server not necessarily while it is unlocked.

5 hours ago, user0777 said:

I think you’ve misunderstood the meaning of Physical access maybe? Physical access means being in the same room as the server not necessarily while it is unlocked.

Yes, someone could enter while the server is not on, but then how do you usually start the server? you have to have some sort of password, physical, or an automated way to unlock it... right?

  • Author

No, we are talking about the case when the server is already on but locked.

10 hours ago, user0777 said:

No, we are talking about the case when the server is already on but locked.

OK. 

 

Now you can just extract the key out of ram. Thats what you mean? And if it were encrypted, you couldnt do that.

 

But dont we have the same problem again, where comes the pw for the encrypted ram?

  • Author

RAM isn’t encrypted. Unraid stores the decryption key in RAM in plaintext.

Edited by user0777

Oh rly, i know, why you tell me this?

 

were talking about encrypted ram here?

 

But anyway, i dont want to continue this discussion.

  • Author

Encrypted ram is the solution however 99% of unraid users will not have encrypted ram.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.