Memory dump from KVM snapshot, possible?

Question

When we have a dedicaed server, noone can access to RAM data except the OS (for example Debian what working on).

If someone want to get a RAM dump, without accessing to system, they need to freeze the RAM modules and read after poweroff (they will keep data during some time).

But what about KVM? If we speak about OpenStack KVM, host admin can make a snapshot of my running VM into a single file.

Can he read after raw RAM's data to get the keys/secrets? ECRYPTFS keys for encrypted folders, gnupg2 private keys used recently, certificates, loaded into nginx memory from ecryptfs folder?

Answer 1

KVM is a virtualisation hypervisor.

This means that it requires knowledge of, and the ability to, access all of the guest's memory contents. This allows the hypervisor to suspend, resume, and move a virtual machine as it's running. VMware's ESXi supports such functionality, and again is only possible with access to the guest's memory contents.

Cheat Engine, a tool used to create cheats for single player and multiplayer games on Windows, recently introduced a way to visualize the current system to get at protected memory contents without making anyone else the wiser. It does this with HyperV, yet another hypervisor.

If your data is decrypted "on the fly", the encryption key must be stored somewhere. This is likely system memory for the speed, but does make it vulnerable to those who can inspect memory, such as in the case of a virtual guest OS.