Sunday, May 19, 2019

memory - Is the Windows paging file safe in the encrypted partition?



I came across this setting called ClearPageFileAtShutdown. The setting is described here and says:





If you are truly worried about security, boot Windows off a fully-encrypted drive. Then you needn't worry about your sensitive data being unencrypted in the paging file.




Basically, it implies that the paging file, even if it resides in an encrypted partition, is not safe--the drive must be fully encrypted for it to be safe.



Is this true? How would the paging file (or any file in general) "leak" out of the encrypted partition where it resides? My understanding is that data in memory is stored on RAM and if RAM is full, it is stored in the paging file on the encrypted partition that I specified the paging file to be in--I don't see how this data can be exposed (unencrypted).



This topic is particularly important to me because I dualboot Windows and Linux and I encrypt the former with Veracrypt and the latter with dm-crypt on an SSD--the remaining space is unencrypted unallocated data (which as far as I'm concerned, is not a security issue but based on the article above, it is).




Thanks.


Answer



You are correct that if your pagefile is on an encrypted volume or drive, the pagefile will be encrypted along with everything else. Whole-volume and whole-drive encryption works at a low level in the storage stack where the entire "file" concept does not exist (just like to the drive itself), so it would be quite difficult for an exception to be made for certain files (not impossible, but I don't know why anyone would bother).



Your interpretation of the warning is incorrect. It should be read as




Then you needn't worry about your sensitive data being unencrypted in the paging file, as it would be if you didn't use whole-volume or whole-drive encryption.





(italic text added by me, of course)



What they're warning about is that even if you use the "clear pagefile at shutdown" option, if someone manages to power off your machine and make off with your drive, the pagefile contents won't have been wiped (because the normal shutdown procedures were bypassed).


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...