Option to overwrite encryption key in memory on locking
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
xscreensaver (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
I'm using Ubuntu 13.10 dev with xscreensaver 5.15-3ubuntu1. If the filesystem is encrypted (for example with ecryptfs) and the screen is locked the encryption key still resides in memory. Anybody with physical access could make a cold boot attack to get this key. The only solution is to logout from all instances so that the encryption key gets overriden.
xscreensaver could provide an option to override this key too on locking the screen. The key will then be recovered if the user unlocks the screen with entering his password. But this has one disadvantage: As the user session is still open any running application could try to access the non-readable-
This is an issue for the PAM stack, not for xscreensaver.