See https://www.truecrypt71a.com/documentation/security-requirements-and-precautions/data-leaks/paging-file/. I've known about this when using TrueCrypt. I don't know of a utility that will wipe unused/unallocated pages in the pagefile (similar to secure wiping the free space in the file system in a partition). If there was one then I'd use it instead of relying on Windows clearing the pagefile on shutdown. My computer normally runs 24x7 so it can be days or weeks before Windows gets shutdown to then clear the pagefile. So the data left in the pagefile could be there days or weeks after I unloaded the crypt container.
Say I load a crypt container which then gets accessed via a drive letter. I open a big document in a word processor. The program has to buffer some of the document and may put it in the pagefile. Or logins might get pushed into the pagefile by a web browser. Later I unload the container and the document there is safe but the bits still left behind in the pagefile are vulnerable to forensic probing.
What I'm thinking of having in Veracrypt would be similar to pre- and post-command features in some backup programs. The commands can be executables or batch files or even scripts (e.g., Powershell or Python). The pre-command is ran before the backup job begins and the post-command is ran after the backup job completes. If Veracrypt had a post-command function after it unloaded a container then I could specify it run a program that would clear out the currently unallocated pages in the pagefile (if I ever found one).
Instead of pushing code inside of Veracrypt to perform pre- or post-commands when loading and unloading a container, it could use some external program to perform whatever cleanup, organizational, or other functions the user wanted to do before loading and after unloading a container. That would provide an automatic method of executing commands without having to add code inside of Veracrypt.
Once pre-load and post-load commands, and if I found a pagefile cleanup utility, I could add it to Veracrypt to make sure tidbits of docs inside the container were not lingering in the pagefile, or in a temp folder.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I know that I could use the CLI (command-line interface) to Veracrypt to use it inside a batch file or script to do the pre-command, run Veracrypt to load the container, and then run a post-command to do the cleanup. However, I suspect the Veracrypt commands would be asynchronous. As soon as the Veracrypt command to load a container was done, and while the container were still loaded, the next command would run (which would be to unload the container) and next run the cleanup utility. So the batch file would run a command, load a container, unload the container, and do cleanup before I even got to use the docs inside the container.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
See https://www.truecrypt71a.com/documentation/security-requirements-and-precautions/data-leaks/paging-file/. I've known about this when using TrueCrypt. I don't know of a utility that will wipe unused/unallocated pages in the pagefile (similar to secure wiping the free space in the file system in a partition). If there was one then I'd use it instead of relying on Windows clearing the pagefile on shutdown. My computer normally runs 24x7 so it can be days or weeks before Windows gets shutdown to then clear the pagefile. So the data left in the pagefile could be there days or weeks after I unloaded the crypt container.
Say I load a crypt container which then gets accessed via a drive letter. I open a big document in a word processor. The program has to buffer some of the document and may put it in the pagefile. Or logins might get pushed into the pagefile by a web browser. Later I unload the container and the document there is safe but the bits still left behind in the pagefile are vulnerable to forensic probing.
What I'm thinking of having in Veracrypt would be similar to pre- and post-command features in some backup programs. The commands can be executables or batch files or even scripts (e.g., Powershell or Python). The pre-command is ran before the backup job begins and the post-command is ran after the backup job completes. If Veracrypt had a post-command function after it unloaded a container then I could specify it run a program that would clear out the currently unallocated pages in the pagefile (if I ever found one).
Instead of pushing code inside of Veracrypt to perform pre- or post-commands when loading and unloading a container, it could use some external program to perform whatever cleanup, organizational, or other functions the user wanted to do before loading and after unloading a container. That would provide an automatic method of executing commands without having to add code inside of Veracrypt.
Once pre-load and post-load commands, and if I found a pagefile cleanup utility, I could add it to Veracrypt to make sure tidbits of docs inside the container were not lingering in the pagefile, or in a temp folder.
I know that I could use the CLI (command-line interface) to Veracrypt to use it inside a batch file or script to do the pre-command, run Veracrypt to load the container, and then run a post-command to do the cleanup. However, I suspect the Veracrypt commands would be asynchronous. As soon as the Veracrypt command to load a container was done, and while the container were still loaded, the next command would run (which would be to unload the container) and next run the cleanup utility. So the batch file would run a command, load a container, unload the container, and do cleanup before I even got to use the docs inside the container.