[IMPORTANT] VeryCrypt 1.23 RAM key after power failure - power loss - still in the RAM?

[Hulndo]

Hello,

I have an important question.

I used VeraCrypt version 1.23 from september 2018. This version was not possible to use RAM encryption.

I wanted to know, what happenes to the RAM key, when the PC crashes or I get an power failure or power loss? I mean, that the PC is not shutted down cleanly.

I know, that VeraCrypt dont wipe out the key in RAM, but does the RAM hold the key? Or does it get lost after a few seconds to minutes, as we know it from RAMs?

Im happy for every answer!

Regards

[Hulndo]

PUSH.

[crbrac]

The contents of the RAM are likely retained for anywhere from seconds to minutes, but are over written at next boot-up anyway. Either way, the fact that you're running Ver:1.23, means your Keys are held in RAM in an unencrypted state while you use your machine leaving it exposed to this specific attack channel, either online (the odds are remote) or by a threat actor having physical access to your device with enough motive -- which is to say you are no more/less protected irrespective of whether your PC is gracefully shutdown.

If you care about such a possibility your only choice is to upgrade to 1.24 with the feature enabled. Honestly, a non-issue to regular folks unless you happen to work in a conducive environment for such an attack.

[Hulndo]

Thanks for your answer. So it means, that the key gets deleted after the pc crashes or I lose power, right?

So, when someone tries to get the key from my RAM, after the pc is powerless for hours, they have no chance, right?

Yes, I will upgrade it!

[Enigma2Illusion]

Please read:

https://www.veracrypt.fr/en/Unencrypted%20Data%20in%20RAM.html

https://www.veracrypt.fr/en/Memory%20Dump%20Files.html

Also, it is recommended to upgrade to the latest version due to security fixes/enhancements, bug fixes and new features.

https://sourceforge.net/projects/veracrypt/files/

[Hulndo]

I did. It does not answer my question. Im talking about, when my pc loses power and is not shutted down cleanly. Is the key still in the RAM after few hours/days or is it still in the RAM? That is my question.

[Enigma2Illusion]

Are you using system encryption to avoid risk of dump files, swap files, page files, hibernate files from containing your encryption keys?

Also be aware if your computer hibernates or sleeps the encryption key(s) can be written to a file.

https://www.veracrypt.fr/en/Hibernation%20File.html

The RAM is being written to a dump file. So even if the memory chips are decayed long enough to lose their information, the encryption keys are in dump files.

https://www.veracrypt.fr/en/Unencrypted%20Data%20in%20RAM.html

However, when power supply is abruptly interrupted, when the computer is reset (not cleanly restarted), or when the system crashes, VeraCrypt naturally stops running and therefore cannot erase any keys or any other sensitive data. Furthermore, as Microsoft does not provide any appropriate API for handling hibernation and shutdown, master keys used for system encryption cannot be reliably (and are not) erased from RAM when the computer hibernates, is shut down or restarted.

https://www.veracrypt.fr/en/Memory%20Dump%20Files.html

Note: The issue described below does not affect you if the system partition or system drive is encrypted (for more information, see the chapter System Encryption) and if the system is configured to write memory dump files to the system drive (which it typically is, by default).

Most operating systems, including Windows, can be configured to write debugging information and contents of the system memory to so-called memory dump files (also called crash dump files) when an error occurs (system crash, "blue screen," bug check). Therefore, memory dump files may contain sensitive data. VeraCrypt cannot prevent cached passwords, encryption keys, and the contents of sensitive files opened in RAM from being saved unencrypted to memory dump files.

[Hulndo]

My Windows (system) partition is encrypted, yes.

So, when my windows partition is encrypted with a 60 digit password with random number, letter, additional character, the keys are in dump files in my RAM? Even when my computer is without power for hours/days?

Did I understand that correctly?

[Enigma2Illusion]

No, the encryption keys are dumped from the RAM into file(s) on your system drive.

[Hulndo]

So it is not possible, to get my keys from the RAM after hours/days, when my computer lose power, right?

Im not sure, if you understand what Im saying.

My Windows partition is encrypted. Is it possible to get the keys from my RAM, after my computer lose power? No shutted down, if it loss power.

Im using version 1.23. RAM is not encrypted.

I need an detailed answer.

Are the keys in my RAM or in the dump files, when the computer is encrypted? And in both cases, is it possible to get the keys from RAM or dump files, when the computer lost power and the computer is without power for hours/days?

Windows partition is, as I said, encrypted.

[Enigma2Illusion]

I am not a computer forensics expert and too many variables to consider what timeframe data could be retrieved from the memory chips.

https://en.wikipedia.org/wiki/Cold_boot_attack

See section called Data in RAM.

https://en.wikipedia.org/wiki/Data_remanence

[Alexandre Takacs]

As others have mentioned there is no definitive answer to your question.
Few pointers IMHO:

• Who is the adversary ? Some hacker ? LEA ? Nation state ?
• The longer the machine is shutdown the less potential RAM remanence. But it is very hardware specific. If you really want to know you'll have to experiment by yourself.
• A leak of your key is much more probable from other sources (such a swap files, backups, keyboard sniffer or some side channel) than being exfiltrated from RAM. If you have really closed all other avenues I’d say you are pretty safe, knowing there is no such thing as 100% safety.

[Enigma2Illusion]

Are the keys in my RAM or in the dump files, when the computer is encrypted?

The encryption keys are in RAM and can be written to Windows system files like paging, hibernate and/or crash dump files. So it is possible to be in both RAM and disk.

And in both cases, is it possible to get the keys from RAM or dump files, when the computer lost power and the computer is without power for hours/days?

Windows partition is, as I said, encrypted.

See my post above.

[Hulndo]

PUSH.

[crbrac]

Don't you think you're being a bit overly paranoid. If you're hell bent on knowing how long the contents of RAM hang about after an abrupt shutdown, you should consider approaching the RAM manufactures themselves or Forensic experts (as Enigma2illusion said) who deal in such matters. Little to do with Veracrypt or any other Encryption utilities. Software level intervention can only happen within their work capabilities.

Since you Windows partition is encrypted it shouldn't be possible for anyone to gain access to the Keys dumped to the disk files, as stated above. If someone does/can, you'll pleased to know we're all in the same boat.

You should upgrade to 1.24 anyway and rest assured even in the event of an unexpected shutdown, the the Keys are in an encrypted state regardless of how long it stays alive in the RAM. At least that's my understanding. I could be wrong though.

[Enigma2Illusion]

@crbrac

I am curious why you are recommending upgrading to 1.24 instead of the latest version 1.25.9 due to security fixes/enhancements, bug fixes and new features?

[Enigma2Illusion]

The sticky thread How does RAM Encryption work explains in technical detail.

[crbrac]

@enigma2illusion

You're right about upgrading to the latest stable version :) The OP is currently staying put on 1.23. He must have a specific reason for doing so. My suggestion was to at least update to 1.24 because it is the version which addresses his paranoia, even if a little misguided. As for moving to the latest version, that's entirely their call.

[Enigma2Illusion]

@crbrac

You must have missed the OP's statement at the end of his post that he will upgrade VeraCrypt. :)

https://sourceforge.net/p/veracrypt/discussion/general/thread/a517775cbf/#3f02/a051

[crbrac]

Haha, I must have overlooked that. The OP knows the solution to his concerns and yet seems reluctant to upgrade. Anyway he's not being PUSHY anymore.