What is Cold Boot Attack?
A technique for extracting encryption keys from a computer's RAM by physically accessing the memory chips after a shutdown, exploiting the fact that RAM doesn't clear instantly.
RAM retains data for seconds to minutes after power is removed. Cooling the chips with compressed air can extend this to hours.
How It Works
- Target computer is running with encrypted disk (keys in RAM)
- Attacker gains physical access
- Cools the RAM modules with compressed air or liquid nitrogen
- Reboots into a minimal OS or transplants RAM to another machine
- Reads the still-present encryption keys from memory
- Uses the keys to decrypt the disk
Real-World Use
- Law enforcement forensics on seized computers
- Demonstrated against BitLocker, FileVault, and LUKS
Countermeasures
- Shut down (don't just sleep/hibernate) when physically threatened
- Use a BIOS password and secure boot
- Store keys in TPM/HSM rather than RAM when possible
- Some systems now scrub RAM on shutdown
- Full memory encryption (AMD SME/SEV, Intel TME) protects against physical RAM reads
Related Terms
Air Gap
A security measure that physically isolates a computer or network from the internet and other unsecured networks. An air-gapped system has no wired or wireless connections to the outside world, making remote hacking virtually impossible.
Encryption at Rest
Encryption applied to data stored on disks, databases, or other storage media. When data is 'at rest' (not actively being transmitted), encryption protects it from unauthorized access if storage devices are stolen or compromised.
Have more questions?
Use our guided flow to get the right next privacy step for Cold Boot Attack.
Open Guided Flow