Setting up a laptop: Difference between revisions
m (→Next step: Full blown Alpine installation: put example) |
m (move part the section above) |
||
Line 28: | Line 28: | ||
Grab a USB thumb drive with Alpine. Set it up as usual but don't let it touch your drive yet. Then, install all the tools into memory ramdisk but not in the hard drive yet. The hard drive will be obliterated. | Grab a USB thumb drive with Alpine. Set it up as usual but don't let it touch your drive yet. Then, install all the tools into memory ramdisk but not in the hard drive yet. The hard drive will be obliterated. | ||
You will then install Alpine using the steps: | |||
First you need WiFi, to get it run do the command below but say no or skip the hard drive setup stuff: | |||
setup-alpine | |||
Then, you need to install everything in /mnt/root where you mounted the encrypted drive: | |||
apk add e2fsprogs grub grub-bios grub-efi mkinitfs grub nano | |||
== Randomizing the drive with pseudorandom urandom entropy == | == Randomizing the drive with pseudorandom urandom entropy == | ||
Line 348: | Line 357: | ||
== Next step: Full blown Alpine installation == | == Next step: Full blown Alpine installation == | ||
apk add --root=/mnt/root --initdb $(cat /etc/apk/world) | apk add --root=/mnt/root --initdb $(cat /etc/apk/world) | ||
Revision as of 05:40, 12 March 2018
This material is work-in-progress ... Do not follow instructions here until this notice is removed. |
This guide is about a project to create a secured laptop. For this project we take in consideration ways to extend battery life. It covers tools and daemons that are must haves for a laptop setup.
Guide features
- Deniable full disk encryption
- Two factor authentication (physical (USB key), mind)
- Encrypted swap and hibernation
- Encrypted home on top of encrypted drive
- Memory sanitation
- Dynamic power modes
- Feature keys support
Rubberhose Attack
Just a reminder that all attacks are subjected to the Rubberhose Attack dilemma, you either give up your encryption keys or be tortured with a rubberhose with the possibly of death. See Wikipedia article. We try to present deniable encryption (Wikipedia) to avoid a rubberhose attack scenario. In this article we use the words plausible deniability interchangeably with deniable encryption. To achieve this we use a facade and require no metadata fingerprints to expose or hint of encrypted or hidden containers or hint as in detect of existence of an encrypted disk. We will not cover steganography where we dilute the randomness into the facade. The addition is welcomed in this article. It also requires you not to brag about encryption or mention it because that is an invitation for the attacker to torture the victim. Deniable encryption requires you not put encrypted as an entry title to your bootloader. There shouldn't be an entry for your facade bootloader to the encrypted drive.
Why full disk?
The full disk encryption provides sort of some plausible deniability or a valid alibi that you didn't encrypt it. Is the drive just random noise, broken, or is it really encrypted? The other reason is that it implies that everything is protected.
But there could be problems if not done right. For example, cryptsetup does leave a plaintext marking or some hints by default that it has been encrypted when using luks/luks2 mode if a detached header with option --header <path>
is not presented.[1][2] To gain credibility that we didn't really do the encryption, you have to wipe the +3 MiB region based on the number of key slots used; or store the headers on an external device.
If you did deniable encryption incorrectly, it is possible to erase and restore the header. This presents an opportunity to improve obfuscation. When you pull out the USB key, it should erase the header but store it on the USB key atomically as in completely. If you plug in the USB key, it will restore back the header. cryptsetup has luks actions luksHeaderBackup and luksHeaderRestore to do this.
Starting at the beginning
Grab a USB thumb drive with Alpine. Set it up as usual but don't let it touch your drive yet. Then, install all the tools into memory ramdisk but not in the hard drive yet. The hard drive will be obliterated.
You will then install Alpine using the steps:
First you need WiFi, to get it run do the command below but say no or skip the hard drive setup stuff:
setup-alpine
Then, you need to install everything in /mnt/root where you mounted the encrypted drive:
apk add e2fsprogs grub grub-bios grub-efi mkinitfs grub nano
Randomizing the drive with pseudorandom urandom entropy
The first part is to erase the drive with random noise but in practical time. There are many techniques to do this but should be done in one day or two minimum.
You can use shred or dd to accomplish this depending on your needs and the availability of entropy. Some techniques take longer. Cryptologist Bruce Schneier recommended 7 times with specified pattern. See Wikipedia Article. For practical purposes, we just do it random in one pass.
To list the drives on the system do fdisk -l
.
IMPORTANT: make sure you wipe the right specific drive.
To wipe the disk with random entropy do:
dd if=/dev/urandom of=/dev/sda
Creating GPG keys
After you have scrambled the drive, you want to create your GPG keys. You will use these keys to set the password(s) for your cryptsetup-luks partitions. These keys should be stored on a USB thumb drive which will act as the boot partition and the USB key. The key should be a random 128 bit key wrapped in GPG and protected with a password.
If you are using x, you need to do sudo apk add pinentry-gtk
to display password prompt properly for the next step.
openssl rand -base64 128 | gpg --symmetric --cipher-algo aes --armor > /mnt/usb/2a667ec72774b0d5
(Make sure your usb is mounted on /mnt/usb first.)
The long file name comes from openssl rand 8 -hex
so that we enhance plausible deniability. The attacker cannot determine the purpose of the key. Is it used for GitHub? for Email?
The first part will produce 128 random bytes in wrap it in base64. The random data will be piped to gpg which will wrap it in AES as ciphertext which again gets wrapped in base64 ascii armor. For every partition including swap in some cases, you should create more gpg keys and store them in your USB thumb drives. After you have produced your gpg keys, you will then use them as a password for cryptsetup/luks.
You can replace aes above with the ones listed in gpg --version
.
There should be a password generated for the swap. This is to resume for your hibernate. If you don't want to hibernate, then password is not required and all you need to do is to create/format the partition each time you boot without a password or with a one time random password.
Full disk encryption with with cryptsetup-luks volumes
Partitioning scheme
This section presents a conceptual layout. It should not be a knee-jerk approval to automatically use the partition tool which would compromise your plausible deniability.
For the facade, we use an Ubuntu Live CD (or less skilled distro) to present the impression that we are not sophisticated or tech savvy enough to implement encryption. Windows is also acceptable even better. The immutable Live CD and immutable partition ensures that you are not compromised by a third party attacker that implants evidence.
There could be possibly two bootloaders, one for the facade and the other to the encrypted drive stored on a external device.
Luks
Plausible deniability only works if you can demonstrate no existence of partitions 2, 3, 4 and no fingerprints/plaintext introduced by cfdisk and cryptsetup-luks. Use something like TestDisk, fdisk -l, or gparted and a disk editor (hex editor for disks).
# | Name | Mount point | Notes |
---|---|---|---|
1 | facade | / | (optional) The facade partition contains a pristine normal operating system or Ubuntu Live CD image to lure the attacker in attempt to boost the confidence of the attacker convincing them that there is no encryption on the device. |
2 | swap | It should be the same size as your ram for x86_64. Rationale: it should contain the whole ram image. | |
3 | root | / | |
4 | rescue | / | This should contain the Alpine image. |
Plain dm-crypt
Plausible deniability only works if you are able to present #2 as being unused space or untampered. To check use something like TestDisk, gparted and a disk editor (hex editor for disks).
# | Name | Mount point | Notes |
---|---|---|---|
1 | facade | / | (optional) The facade partition contains a pristine normal operating system or Ubuntu Live CD image to lure the attacker in attempt to boost the confidence of the attacker convincing them that there is no encryption on the device. |
2 | vgroot | ||
2_1 | vgroot-root | / | |
2_2 | vgroot-swap | It should be the same size as your ram for x86_64. Rationale: it should contain the whole ram image. | |
2_3 | vgroot-rescue | / | This should contain the Alpine image. |
Installing cryptsetup
To install cryptsetup you need the package below
apk add cryptsetup
Choosing ciphers
When you create your luks drives, you need to decide on the type of ciphers and hashing techniques to use. The ciphers that you want to use are ones are up to you, but it should be one that is hasn't been cracked yet or has not suffered a lot of cryptanalysis attacks. The ones that you might want to use is AES which is hardware accelerated in some Intel CPUs that have the AES-NI cpuflag which you can check by cat /proc/cpuinfo
. Also consider the ciphers that are SIMD optimized such as serpent and twofish that are available in the Linux kernel. Also consider ciphers that are unpopular but known to be secure such as blowfish. If it is hardware accelerated, it will save battery life and minimize CPU usage.
Another advantage of using a public vetted cipher is that it provides confidence that it works.
Generally speaking, the swap partition should use a fast cipher.
IMPORTANT: Please read the Important notes section for details about AES encryption.
Getting the available ciphers
cryptsetup benchmark
The top set is associated with the hashing algorithms. The bottom set are the ciphers. Use the commands below but replace the cipher and/or hash algorithm with your preferences.
IMPORTANT: do not use sha1 as the hashing algorithm. It already has already been compromised.
General steps for cryptsetup
Original method with fdisk with no plausible deniability
In this method --type luks
is implied which generates metadata.
If you want plausible deniability for luks, you need to pass --header <path>
to all the luks commands, where <path>
is a unix path like /mnt/usb/d6ae10eda66704c8. The random name comes from openssl rand -hex 8
. The header is transferred to the external device (but no mention of the key slot area but ciphertext being transferred) in the man page. The information in that file should be obfuscated with encryption if there is plaintext or fingerprint in it just in case. Then, it should be decrypted when reused.
You need to install cfdisk if you prefer the interactive ncurses console method:
apk add cfdisk
# | Step | Command |
---|---|---|
1 | Use cfdisk to create partitions. Make two partitions--a system partition and a swap partition | cfdisk
|
2 | Create and format the luks device | cryptsetup --cipher aes-cbc-essiv:sha256 --key-size 256 luksFormat /dev/sda1 /mnt/usb/2a667ec72774b0d5
|
3 | Open the luks device | cryptsetup --key-file /mnt/usb/2a667ec72774b0d5 luksOpen /dev/sda1 root
|
4 | Format the decrypted drive with filesystem | mkfs.ext4 /dev/mapper/root
|
5 | Create the mount point | mkdir -p /mnt/root
|
6 | Mount the root partition | mount /dev/mapper/root /mnt/root
|
7 | Create swap | cryptsetup -c blowfish -h sha256 -d /dev/urandom --key-file /mnt/usb/59022506d9f4a714 create swap /dev/sda2 |
8 | Use swap | mkswap /dev/mapper/swap && swapon /dev/mapper/swap |
Improved method with plausible deniability
This method requires lvm2. To install:
apk add lvm2
# | Step | Command |
---|---|---|
1 | Open the plain dm-crypt device generating no metadata | cryptsetup open --type plain --cipher aes-cbc-essiv:sha256 --key-size 256 --key-file /mnt/usb/2a667ec72774b0d5 /dev/sda root
|
2 | Physical volume create with LVM | pvcreate /dev/mapper/pvroot
|
3 | Volume group create with LVM | vgcreate vgroot /dev/mapper/pvroot
|
4 | Logical volume create the swap volume with LVM | lvcreate -L 4G vgroot -n swap
|
5 | Logical volume create the root volume with LVM | lvcreate -L 2T vgroot -n root
|
6 | Logical volume create the rescue volume with LVM | lvcreate -L 110M vgroot -n rescue
|
7 | Format the root volume with filesystem | mkfs.ext4 /dev/mapper/vgroot-root
|
8 | Format the swap volume and activate it | mkswap /dev/mapper/vgroot-swap && swapon /dev/mapper/vgroot-swap
|
9 | Format the rescue volume with filesystem | mkfs.ext4 /dev/mapper/vgroot-rescue
|
10 | Create mount point for root volume | mkdir -p /mnt/root
|
11 | Mount the root volume | mount /dev/mapper/vgroot-root /mnt/root
|
Configuring OpenRC dmcrypt and setting up fstab
You need to tell OpenRC init scripts to decrypt the volumes. See /etc/conf.d/dmcrypt
.
You need to add the service to boot well because it needs to decrypt the root volume before OpenRC starts running commands from it. So you need to do:
rc-update add dmcrypt boot
/etc/init.d/dmcrypt
The dmcrypt OpenRC service will attempt to decrypt the drive using information provided in /etc/conf.d/dmcrypt.
For luks:
Contents of /etc/conf.d/dmcrypt
For plain dm-crypt:
Contents of /etc/conf.d/dmcrypt
dm-crypt will just mount the encrypted plain dm-crypt drive or the luks partition. What you need to do next is set up fstab located at /etc/fstab. Examples are shown below.
/etc/fstab
To mount plain dm-crypt device with fstab:
Contents of /etc/fstab
To mount lvm volumes with fstab:
Contents of /etc/fstab
How to recover from a bad setup
Many times you will not get it right perfectly the first try. To recover from this situation, you need to reopen the plain dm-crypt drive or the luks drive and then remount everything back.
To recover from luks:
cryptsetup --key-file /mnt/usb/2a667ec72774b0d5 luksOpen /dev/sda1 root mkdir -p /mnt/root mount /dev/mapper/root /mnt/root
To recover from the plain dm-crypt:
cryptsetup open --type plain --cipher aes-cbc-essiv:sha256 --key-size 256 --key-file /mnt/usb/2a667ec72774b0d5 /dev/sda root vgchange -ay vgroot lvchange -ay vgroot/root mkdir -p /mnt/root mount /dev/mapper/vgroot-swap /mnt/root
Next step: Full blown Alpine installation
apk add --root=/mnt/root --initdb $(cat /etc/apk/world)
Then, enable edge repositories in both files including community and testing:
nano /etc/apk/repositories /mnt/root/etc/apk/repositories
Then, copy the necessary files:
cp /etc/resolv.conf /mnt/root/etc
Then, install the basic utils:
apk add --root=/mnt/root dhcpcd chrony networkmanager wireless-tools wpa_supplicant apk add --root=/mnt/root grub mkinitfs e2fsprogs grub-bios grub-efi apk add --root=/mnt/root sudo nano apk add --root=/mnt/root linux-hardened
Then, you need to mount your usb on to /boot:
mount /dev/sdb /boot
Edit grub:
nano /boot/grub/grub.cfg
Then, install grub on the usb:
grub-install --force /dev/sdb
Then, prepare chroot:
mount --bind /dev /mnt/root/dev mount --bind /sys /mnt/root/sys cp /etc/reslov.conf /mnt/root/etc
Then, chroot:
chroot /mnt/root /bin/sh
Set the root administrator password:
passwd
Edit sudo so that wheel group has administrative :
EDITOR=nano visudo
Set:
## Uncomment to allow members of group wheel to execute any command %wheel ALL=(ALL) ALL
Then, add wheel (administrator) user:
useradd -m myname usermod -a -G video,audio,wheel myname
log in that user:
su myname
Then, update and upgrade it
sudo apk update sudo apk upgrade
Then, setup xorg:
sudo setup-xorg-base sudo apk search xf86-video | sort # pick your video driver sudo apk add xf86-video-intel
Then, keep piling on:
sudo apk add firefox dwm xfce4-terminal alsa-utils keepassx xfce4 sudo apk add font-noto-emoji terminus-font leafpad xsetroot sudo apk add xf86-input-mouse xf86-input-keyboard
Then, set the desktop:
nano .xinitrc
Put both but comment with a # one of them if you don't want it,
#while true; do xsetroot -name "$( date +"%a %b %d %I:%M:%S %Y" ) ; sleep 1; done & #exec dwm exec xfce4-session
sync sudo reboot
Install the bootloader in the USB thumb drive
To install grub, you need to install grub on the ramdisk first on the host.
apk add grub
To get a list of partitions
fdisk -l
Mount the boot partition in /boot
mount /dev/sdb /boot
Make changes to grub's configuration
nano /boot/grub/grub.cfg
Install it to your USB thumb drive
grub-install /dev/sdb
Hacking mkinitfs
You may want to hack the mkinitfs init script and rebuild the package depending on what methods you use. You could possibly have a complex way to hide your GPG keys (again enhancing plausible deniability) with steganography or extend it with three-factor authentication which adds biometrics along side with mind and physical.
See https://github.com/alpinelinux/mkinitfs/tree/master .
Home mounting with eCryptfs
We use eCryptfs to encrypt home. The rationale for having another encrypted file system is that if you leave your laptop unattended on break or accidentally leave your USB key in, your data will not be accessible. When you log off due to inactivity, your home directory will be unmounted and encrypted. eCryptfs will encrypt/decrypt the filename and the contents and will sit on top of ext4 which sits on top of luks.
To install ecryptfs-utils:
sudo apk add ecryptfs-utils
You need to write a custom script that does the following:
* kill all running processes associated with your user account * auto logoff terminals * for the last terminal closed including all idle xservers, unmount your user home * (optional) use smem to wipe all your plaintext private data in memory after all closed programs in case of cold boot attack
This does only one factor authentication with just the password and the USB key inside. You need to reconfigure pam with the pam_usb.so which is not in Alpine aports.
Locking it down
Many times you will leave your laptop behind with people you trust. The following tools will help lock down the system.
physlock
This will auto lock the tty and when you return will prompt for password.
To install physlock:
sudo apk add physlock
It is currently bugged. See [3]. physlock likely doesn't do two-factor authentication but it should.
You need to create custom script that will monitor idle time in TTY then call physlock. You load this script when you log on.
xscreensaver
This will lock you out of xserver
To install xscreensaver:
sudo apk add xscreensaver
USB key udev rule
You need to add a new udev rule that will suspend-to-ram or hibernate and log off once you pull the USB key. When you come back on, you should do 2 factor authentication to restore back everything. Hibernation and suspend-to-ram might mitigate cold-boot attack (but unlikely see notes at the bottom of the page) to extract plaintext private data and encryption keys in memory.
To find out the details of your USB do:
udevadm monitor --udev -p
The output should look like:
UDEV [181762.722853] add /devices/pci0000:00/0000:00:13.2/usb2/2-5/2-5:1.0/host6/target6:0:0/6:0:0:0/block/sdc (block) ACTION=add DEVLINKS=/dev/disk/by-id/usb-Kingston_MSFT_NORB_MSFTLAKDA300EB3021790009-0:0 /dev/disk/by-path/pci-0000:00:13.2-usb-0:5:1.0-scsi-0:0:0:0 /dev/disk/by-uuid/5A96-03E4 DEVNAME=/dev/sdc DEVPATH=/devices/pci0000:00/0000:00:13.2/usb2/2-5/2-5:1.0/host6/target6:0:0/6:0:0:0/block/sdc DEVTYPE=disk ID_BUS=usb ID_FS_TYPE=vfat ID_FS_USAGE=filesystem ID_FS_UUID=5A96-03E4 ID_FS_UUID_ENC=5A96-03E4 ID_FS_VERSION=FAT32 ID_INSTANCE=0:0 ID_MODEL=MSFT_NORB ID_MODEL_ENC=MSFT\x20NORB\x20\x20\x20\x20\x20\x20\x20 ID_MODEL_ID=1645 ID_PATH=pci-0000:00:13.2-usb-0:5:1.0-scsi-0:0:0:0 ID_PATH_TAG=pci-0000_00_13_2-usb-0_5_1_0-scsi-0_0_0_0 ID_REVISION=PMAP ID_SERIAL=Kingston_MSFT_NORB_MSFTLAKDA300EB3021790009-0:0 ID_SERIAL_SHORT=MSFTLAKDA300EB3021790009 ID_TYPE=disk ID_USB_DRIVER=usb-storage ID_USB_INTERFACES=:080650: ID_USB_INTERFACE_NUM=00 ID_VENDOR=Kingston ID_VENDOR_ENC=Kingston ID_VENDOR_ID=0951 MAJOR=8 MINOR=32 SEQNUM=2027 SUBSYSTEM=block USEC_INITIALIZED=1762722168
You want to extract the ID_SERIAL_SHORT=MSFTLAKDA300EB3021790009
or whatever is associated with your USB thumb drive.
You need pm-utils for ps-suspend. So to install it do:
sudo apk add pm-utils
You will create a udev rules so that when you pull out the USB, it will suspend-to-ram or you can use your own script. To do that create a file with the following contents:
Contents of /etc/udev/rules.d/50-usb-thumb-drive.rules
Extending battery life
ACPI
ACPI is a good daemon to use to execute certain scripts when laptop events are triggered.
To install ACPI do:
apk add acpi
The events to pay attention to are:
Event | ACPI Event | What your script should do |
---|---|---|
lid close | log off ttys and suspend-to-ram. ALSA should either set the volume to 0 for the sound card or the sound driver be unloaded. It might be a good idea to kill or mute any music or movie players if the sound loops loudly after lid open. | |
lid open | lock all ttys and all xservers should be locked, possibly reinitialize ALSA and the sound system. | |
tapped power button | lock all ttys and suspend-to-ram | |
held power button | hibernate | |
unplugged power | should switch to 'conservative' cpufreq governor at above 25% power ; 'powersave' governor at 25%. set hdparam spindown rate lower. | |
plugged power | should switch to 'performance' governor. disable hdparam spindown. |
The purpose of the power governor is to regulate the running frequency (GHz) of the processor.
Certain event handlers are are managed through laptop-mode-tools. If you don't want the dependency, then you could write ACPI handler scripts.
acpi_listen
can be used to retrieve the event name.
TODO: put scripts below
Adjusting the backlight dynamically
The backlight may be controlled using sysfs. The setting is a descendant of /sys/class/backlight/
. The feature may allow you to echo a value to it. Use trial and error to discover the values.
The adjustment of the backlight should be function of battery life. So if it is like 33% battery life, you want to run it near lowest settings but readable. For 50 percent battery energy maybe 40% light. For 90% battery maybe 75% light.
hdparm
To install hdparam do:
sudo apk add hdparm
The settings that laptop-mode-tools messes with is the -S
or the spindown timeout. It was also hinted that acoustic setting -M
is associated with the speed meaning that louder is faster and quieter is slower which could contribute to the amount of energy used or reduced.
Again you want something like laptop-mode-tools or ACPI to dynamically adjust the settings based on ACPI events.
laptop-mode-tools
This is currently not in aports but worthy mentioning. It should really be packaged. This is a set of scripts to define a power policies. You can manage all the settings in one place here like the hard drive idle spindown time, CPU governor control, dynamic LCD backlight behavior based on running on battery or AC power supply.
cpufreqd
This is a useful daemon for regulating power.
To install cpufreqd do:
sudo apk add cpufreqd
Make sure you add the service:
sudo rc-update add cpufreqd
Hacking the kernel
You should refer to the Custom Kernel page for details.
Hibernation
See Hibernation to prevent data loss.
WiFi management
Since you are using WiFi, you need a better WiFi management to quickly find open access WiFi access points. We don't have all day to debug complexities of WiFi settings while away from home.
To install NetworkManager do:
sudo apk add networkmanager
To find WiFi access points use the nmtui
ncurses interface.
You also need other programs so install them as well:
apk add wpa-supplicant dhcpcd chrony macchanger wireless-tools iputils
What these programs do:
- wpa-supplicant -- for WPA encryption
- dhcpcd -- for getting a dynamic IP address
- chrony -- for fixing the time with the atomic clock
- wireless-tools -- for additional information
- macchanger -- for protecting against WiFi access discrimination or increased anonymity. (optional)
- iputils -- for the ping command (optional)
You also need to add those services:
rc-update add chrony rc-update add wpa-supplicant rc-update add dhcpcd rc-update add networkmanager
To start the services manually (or just reboot):
/etc/init.d/chrony start /etc/init.d/wpa-supplicant start /etc/init.d/dhcpcd start /etc/init.d networkmanager start
Additional tools
actkbd
To control the sound with fn function keys, you need this daemon. It is currently not in aports. You could override the design and meaning of those keys with your own scripts and utilities. This daemon gives you that freedom.
If your laptop contains a brightness key, you want to set that up with this program. See also Adjusting the backlight dynamically.
secure-delete
Want to prevent cold-boot attack or decrypted keys in memory falling in the wrong hands? This maybe could work who knows?
To install secure-delete do:
sudo apk add secure-delete
smem only works for unused ram.[4] If you use the vanilla kernel, this may work. If you use grsecurity, it will automatically sanitize memory [unconfirmed if enabled] when the memory page is freed.[5]
Close all important programs then call smem.
You call smem in your shutdown script or auto-logoff script.
You can call create a OpenRC shutdown script to run smem when most programs and services are closed. This will erase all your sensitive plaintext private data just in case.
You may want to create a wrapper script to call smem after your program closes.
Sharing presentations over HDMI
If you want to use your laptop to share presentation over HDMI connection, you need libxinerama and xrandr.
To install libxinerama and xrandr do:
sudo apk add libxinerama xrandr
Important notes
If you lose or break your USB key, that is it and you cannot decrypt your drive. It would be wise to make a backup of it.
I don't know if suspend-to-ram or hibernate sufficiently clear the AES encryption keys off ram in those phases which would invite a cold boot attack. This has been covered by the TRESOR kernel patch.[6][7] This patch hasn't been updated since the 4.x kernel series.[8]. This patch currently only works on 32-bit Linux with sse and mmx and on processors with the AES-NI instruction set. TRESOR doesn't work with DMA attack. Loop-Amnesia works with LoopAES and is only for 64 bit Linux. [9]
Please read the Wikipedia article on Cold Boot Attack especially the mitigation section.[10] Full disk encryption will not protect your data especially for older hardware if you do not have the proper mitigation (implying not full proof) prerequisites such as a patched kernel, memory scrambling, permanent memory module mounting for example.