{{Header}}
{{Title|
title=ram-wipe - Wipe RAM on shutdown and reboot
}}
{{#seo:
|description=Wipe RAM at shutdown to prevent information extraction from memory. ram-wipe, a software project designed to defend against RAM extraction attacks by wiping a computer's RAM clean during shutdown or restart. This provides an additional layer of security for organizations that handle sensitive information and prevents attackers from accessing any data that may have been stored in the RAM.
|image=Ram-wipe.png
}}
{{fde-mininav}}
[[File:Ram-wipe.png|200px|thumb|ram-wipe logo]]
{{intro|
Wipe RAM at shutdown to prevent information extraction from memory.

ram-wipe is a software project designed to protect against RAM extraction attacks by erasing the contents of a computer's random access memory (RAM) when the system is shut down or restarted. This helps prevent attackers from recovering sensitive data that may have been temporarily stored in RAM.

ram-wipe is especially useful for organizations that work with confidential information and need an extra layer of security. By clearing the RAM during shutdown or reboot, ram-wipe reduces the risk of data theft through RAM extraction and improves overall system security.
}}
= Introduction =
RAM extraction attacks have been a known method to steal information from computers since at least 2008. <ref>
https://en.wikipedia.org/w/index.php?title=Cold_boot_attack&oldid=249088610
</ref>
Many people assume that all data in RAM disappears as soon as a computer is turned off—but this isn’t always true. In some cases, the contents of RAM can remain for several seconds or even minutes after power loss.

Research by 3MDEB <ref name=3mdeb>
* [https://blog.3mdeb.com/2024/2024-12-13-ram-data-decay-research/ Research of RAM data remanence times]
* [https://blog.3mdeb.com/2025/2025-01-24-ram-data-decay-research-part2/ Research of RAM data remanence times, part 2]
* [https://blog.3mdeb.com/2025/2025-02-20-conclusions-from-ram-data-remanence-tests/ Conclusions from RAM data remanence tests]
</ref> confirms that this type of attack still works with modern RAM like DDR4 and DDR5, which are common in today’s computers. Sometimes RAM is wiped instantly after shutdown or power loss, but in many cases the contents can stay for a few seconds, or even minutes.

Since at least 2011, the Linux [[Live_Mode|live]] operating system [https://tails.boum.org/ Tails] has included a RAM wiping feature during shutdown. <ref>
https://web.archive.org/web/20110423165633/https://tails.boum.org/contribute/design/memory_erasure/
</ref>
(Live systems are run from USB sticks or DVDs.) However, Tails’ [https://tails.boum.org/contribute/design/memory_erasure/ documentation] explains that this feature has limitations.

Until recently, no other Linux distributions like Debian or Fedora included RAM wiping by default.

In 2023, the <code>ram-wipe</code> package was released as a new solution. It wipes RAM during Linux kernel reboot or shutdown sequences, helping prevent data from being recovered later.

<code>ram-wipe</code> works on Debian, {{Kicksecure}}, and possibly other Linux systems. It can also be adapted for other Linux-based setups or devices.

There is now a standalone [https://github.com/{{project_name_short}}/ram-wipe RAM wipe at shutdown tool (source code)] that has very few extra requirements.
(These are called '''dependencies'''—other software that must be present for a program to work.)

The tool uses a '''dracut module'''—a plugin for the Dracut tool, which helps create the early environment used when the system boots.
Many Linux distributions already include Dracut, so packaging <code>ram-wipe</code> for other systems is easier.

<code>ram-wipe</code> is free to use and Open Source. It is also Freedom Software, meaning anyone can study, modify, and share it under its license.

However, software-based RAM wiping (like <code>ram-wipe</code> or the feature in Tails) has a key limitation:
It only works '''if the system shuts down properly'''. For example, it will not protect from some of the cold boot attacks when the device suddenly loses power (for example when the power supply is being unplugged suddenly), and the software execution flow is broken. In such case, <code>ram-wipe</code> will not have a chance to be launched.

For technical details on <code>ram-wipe</code> using <code>initramfs-tools</code> (a tool for building the early boot environment, similar to Dracut), see: [[Dev/RAM_Wipe#Status_of_initramfs-tools_Support|Status of initramfs-tools Support]].

See also:

* [[Dev/RAM_Wipe#Differences_of_ram-wipe_versus_Tails_Memory_Erasure|Differences between <code>ram-wipe</code> and Tails’ memory erasure]]
* [[Dev/RAM_Wipe|<code>ram-wipe</code> (developer documentation)]]

= Installation of ram-wipe =
{{Testers-only}}
<!--
{{mbox
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    =
This chapter is only required for users which aren't users of {{project_name_long}}. That is because ram-wipe is installed by default in {{project_name_long}}.
}}
-->

'''1.''' Platform specific notice.

* Debian: Debian comes with <code>initramfs-tools</code> by default.
* Kicksecure: Newer builds of {{project_name_short}} come with <code>dracut</code> by default.
* Qubes: [[Unsupported]]. <ref>
* Qubes feature request: [https://github.com/QubesOS/qubes-issues/issues/1562 Wipe RAM on shutdown]
</ref>

'''2.''' Migrate to <code>dracut</code>. <ref>
Since ram-wipe is unavailable for <code>initramfs-tools</code> the user needs to migrate to <code>dracut</code>, the only supported initrd creator by ram-wipe.
</ref>

It's required to migrate to <code>dracut</code> if not already done. See instructions on the [[dracut]] wiki page to find out if dracut is already installed and to find instructions on how to install it.

'''3.''' Reboot.

This is to test if <code>dracut</code> is functional. If the system boots normally, then everything is okay.

'''4.''' Add {{project_name_short}} APT repository.

NOTE: Users of {{project_name_short}} can skip this step.

{{Box|text=
{{Project-APT-Repository-Add Easy}}
}}

'''5.''' Install <code>ram-wipe</code>.

{{Install Package|package=
ram-wipe
}}

'''6.''' Done.

The process of installing ram-wipe has been completed.

= Host vs VMs =
ram-wipe is useful on the host operating system but not so much inside a VM. See also [[Dev/RAM_Wipe#ram-wipe_Testing_inside_a_VM]].

= Sample Printout =
== Boot Printout ==

<pre>
[  OK  ] Reached target initrd.target - Initrd Default Target.
         Starting dracut-pre-pivot.service - dracut pre-pivot and cleanup hook...
[    8.686156] dracut-pre-pivot[763]: INFO: wipe-ram-needshutdown.sh: Calling dracut function need_shutdown to drop back into initramfs at shutdown, OK.
[  OK  ] Finished dracut-pre-pivot.service - dracut pre-pivot and cleanup hook.
</pre>

== Shutdown Printout ==

<pre>
[   42.474323] dracut INFO: wipe-ram.sh: RAM extraction attack defense... Starting RAM wipe pass during shutdown...
[   42.501159] dracut INFO: wipe-ram.sh: RAM wipe pass completed, OK.
[   42.502837] dracut INFO: wipe-ram.sh: Checking if there are still mounted encrypted disks...
[   42.508801] dracut INFO: wipe-ram.sh: Success, there are no more mounted encrypted disks, OK.
[   42.530125] reboot: Restarting system
</pre>

= ram-wipe Known Issues =
* Wiping the video RAM (the RAM of the graphics card) has not been implemented anywhere to the knowledge of the author. <ref>
[https://gitlab.tails.boum.org/tails/tails/-/issues/5356 Erase video memory on shutdown]
</ref>

= Unmount Encrypted Root Disk to Wipe Full Disk Encryption Key =

To wipe the LUKS full disk encryption (FDE) for the root disk from RAM it is required to unmount and root disk file system and close the root disk LUKS volume during the shutdown process.

This is implemented as per the [https://github.com/dracut-ng/dracut-ng/issues/204 dracut shutdown hook to close encrypted devices and wipe their encryption keys from kernel memory] and will be available in Kicksecure 18 and above (Debian trixie based).

While [https://github.com/dracut-ng/dracut-ng/issues/204 that dracut shutdown hook] is present, [https://github.com/Kicksecure/ram-wipe/blob/master/usr/lib/dracut/modules.d/40cold-boot-attack-defense/wipe-ram.sh#L39-L50 <code>wipe-ram.sh</code> accounts for possible failures and informs the user of them].

Kicksecure 18 is unavailable at time of writing. There is not {{ETA}}. Will be released after Debian trixie got blessed stable by Debian.

= Status =
* ram-wipe will probably be installed by default once Kicksecure has been ported to Debian trixie.
** https://github.com/3mdeb/news-and-ideas/pull/683

= Development =

* [[Dev/RAM_Wipe|RAM Extraction Attack Defense - RAM Wipe Design Documentation]]
* [https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596 Is RAM Wipe possible? Cold Boot Attack Defense]

= Footnotes =

{{reflist|close=1}}

[[Category:Documentation]]

{{Footer}}