I've been conducting a post-mortem analysis on a recent container escape incident in our lab environment. During the forensic review, I noticed something concerning in the audit logs: a process was able to read sensitive application data from a memory-backed file system (`tmpfs` at `/dev/shm`) even after the parent container was terminated and re-instantiated.

This led me down a rabbit hole investigating persistent memory (PMEM) and `memfd`-backed file systems. The core issue appears to be that common encryption-at-rest solutions (LUKS, eCryptfs) do not cover volatile or persistent memory regions by default. Data written to `/dev/shm`, `/run/shm`, or via `memfd_create()` remains unencrypted.

Consider this simple demonstration. A process creates an in-memory file and writes sensitive data:

```c
#define _GNU_SOURCE
#include
#include
#include
#include

int main() {
int fd = memfd_create("secrets", 0);
const char *secret = "AUTH_KEY=supersecret123";
write(fd, secret, strlen(secret));
lseek(fd, 0, SEEK_SET);
/* Process terminates, but memory pages may persist */
pause(); /* Simulate a crash without cleanup */
return 0;
}
```

Post-termination, these pages can linger in the kernel's page cache or, worse, in actual persistent memory (NVDIMMs). My testing with `pmem` namespaces on a test system confirms that `ndctl`-created namespaces mounted with `DAX` bypass the block layer entirely, rendering block-level encryption ineffective.

**Key findings from my lab:**

* **Page Cache Retention:** Dirty pages from `tmpfs` can remain in the page cache long after file deletion, accessible via direct physical memory inspection or certain kernel debug interfaces.
* **PMEM/DAX Bypass:** Filesystems mounted with Direct Access (DAX) on persistent memory avoid the block layer. Full-disk encryption does not apply.
* **Container Shared Memory:** Kubernetes `emptyDir` with `medium: Memory` creates a `tmpfs` mount. Multi-container pods can leak data via this shared memory if not explicitly cleared.

**Potential mitigation paths I'm evaluating:**

* Implementing a kernel module to hook `memfd_create()` and `shm_open()` to enforce encryption via a lightweight cipher (e.g., ChaCha20) for selected processes.
* Using `mlock()` and explicit `memset()` to zero memory before termination in sensitive applications.
* For PMEM, configuring the namespace to use the `sector` (block translation) mode instead of `fsdax` or `devdax`, then applying LUKS. This sacrifices some performance.

My primary questions for the community:

* Are there existing, production-tested frameworks for transparent memory encryption in user-space for Linux?
* Has anyone successfully implemented a policy (e.g., via eBPF) to detect uncleared sensitive data in persistent memory regions?
* Is this considered a realistic threat model in your organization's hardening guides, or is it typically dismissed as requiring physical access?