Cold Boot Attack

A cold boot attack recovers the contents of a computer's volatile memory, RAM, shortly after power is removed, exploiting a phenomenon called data remanence. Contrary to the once-common assumption that DRAM loses its contents instantly when powered off, memory cells actually retain their charge for seconds to minutes, long enough for an attacker to read them. The attack was demonstrated in the landmark 2008 "Lest We Remember" research from Princeton.

How Keys Leak From RAM

While a system runs full-disk encryption, the decryption key must sit unencrypted somewhere in RAM, otherwise the machine couldn't read its own disk. A cold boot attacker cuts power, then either reboots into a tiny custom kernel that dumps the surviving memory, or physically pulls the DRAM modules and reads them in a machine they control. Because the key is in plaintext in memory, recovering it bypasses the encryption entirely. Spraying the chips with a cooling agent dramatically slows the decay, extending the readable window to minutes.

Mitigations

Defenses focus on keeping keys out of vulnerable RAM. Some systems hold keys only in CPU registers or hardware key stores rather than main memory; others scrub keys from RAM on shutdown, sleep, or lid-close, and refuse to resume without re-authentication. Encrypting memory itself, and binding disk keys to a hardware module that releases them only in a verified state, also help. For self-custody, the practical takeaway is that a powered-on or sleeping device with an unlocked wallet is far more exposed than a fully powered-down one.

This is one reason cold storage keeps keys off live machines entirely; in-memory protection complements the hardware-bound keys of a Trusted Platform Module.