TRESOR is a kernel patch for Linux 2.6.36 that offers interesting protection against attacks on encryption keys that are stored in RAM.

Many DRAM chips hold their state for a relatively long time after power-off — long enough for an attacker to boot their own OS and dump a complete copy of your running RAM image. Sometimes even long enough to remove the chips and re-insert them into a separate machine for copying!

If an attacker has a copy of your RAM, he also has a copy of any encryption keys that you are currently using, i.e. for disk encryption products.

The TRESOR patch has found an effective way to keep your AES private keys out of RAM, stashing them into the debug registers of your CPU (preferably an Intel Core i5 or Core i7 with the AES-NI extensions) and performing encryption/decryption directly in the CPU. This protects your AES key from anyone reading RAM, because it simply isn’t in there! If you further restrict your kernel to remove the ability to insert modules and to provide /dev/kmem, there is no known way to extract your key from the machine at all, but it can still be used efficiently.

The current downsides to the project are of course the limited kernel version support and problems with the user interface for providing the key at initial boot and when returning from suspend. But it provides a level of protection that even the Trusted Platform Module hardware solution cannot match.