cold boot - weakish/cheat GitHub Wiki

Time window: seconds to several minutes (hours to a week in refrigerating). Cold boot attack can retrieve the encryption key from RAM (both SRAM and DRAM) in the seconds to minutes (depending on types of memory modules, operating systems and mother board properties.) after power in room temperature. Time window can be extended to 10 minutes to hours by cooling them to around -50 °C, for example by inverting cans of compressed air. Cool the chips in liquid nitrogen (-196 °C) and they hold their state for hours at least, without any power. A study found data remanence in DRAM with data retention of seconds to minutes at room temperature and "a full week without refresh when cooled with liquid nitrogen."

It is recommended that computers to be powered down (shut down or hibernate to an encrypted swap partition), rather than be left in a "sleep" state, when not in physical control of the owner. When a machine is shut down or loses power and encryption has not been terminated (such as in the event of sudden loss of power), restart the machine and shut down it clearly. For more security, wait several minutes after shutdown.

For maximum of security, use TRESOR patch for Linux kernel. TRESOR stores encryption keys in the x86 debug registers, and uses on-the-fly round key generation, atomicity, and blocking of usual ptrace access to the debug registers for security. Its developers state that "running TRESOR on a 64-bit CPU that supports AES-NI, there is no performance penalty compared to a generic implementation of AES. For desktops, choose a Intel Core CPU providing data scrambling feature that turns user data written to the memory into pseudo-random patterns. Intel does not provide CPU with data scrambling feature for laptops. Choosing one whose memory modules are soldered onto a motherboard or glued in their sockets just prevent memory modules to be easily be removed and inserted into another machine under an attacker's control. However, an attacker can still boot a live usb on the computer. If a password is required to boot from network or removable device, an attacker can just swap out the drive or reset the computer's NVRAM to re-enabling booting from USB.

References