Veracrypt or Windows 10 remembers my password
Open source disk encryption with strong security for the Paranoid
Brought to you by:
idrassi
Menu
▾
▴
Hi all,
for some reasons I am not required to enter my password anymore when mounting a volume and I cannot figure out where the password has been stored.
I have recently migrated to windows 10 + Veracrypt from Windows 7 + truecrypt.
I am using the following script in startup to mount my container after login "C:\Program Files\VeraCrypt\VeraCrypt.exe" /q /tc /v e:\container.tc /l f
This works as expected with however, the small catch that after the first mount, followed by a reboot, shutdown, poweroff, etc. the volume is already mounted when I login and the script throws an error the volume is already mounted.
This is not my desired behaviour as I want to be the only one who knows the password and it should not be stored anywhere.
Am I missing something? where is the password stored and how can I erase it?
Many thanks
Last edit: peter pan 2016-08-19
I had this too. From looking into it, it appears Windows 10 doesn't do a shutdown in the same sense as Windows 7 did. It does a kind of hybrid shutdown/hybernation to allow super-quick startup. As such, the user isn't really logged off, so VeraCrypt doesn't get alerted to the user's session ending, so doesn't dismount the drive. When the app starts again on startup, the GUI starts again but the background driver still has the device mounted, so the GUI tries to mount it again and finds it already mounted, so throws the error.
At least that's what I've determined from testing. You'll find that after a full reboot (e.g. after installing windows updates) will cause VeraCrypt to prompt for the password as expected.
I've found no way around this, and it does seem a slight security issue.
Thanks Nick,
right after posting I remembered that I read something about Windows 10 actually not performing a real reboot and I investigated further - if you actually disable hybrid boot (fastboot) this will fix the issue.
hybrid boot apparently encapsulated the state of the drivers and the kernel and writes this to disk, since the open applications are not maintained there is no apparent benefit for me so I disabled it.
Similarly, on Windows 7 I used to disable suspend to disk in order to avoid any key material being written to persistent storage.
You need to decide for yourself if you think suspend to disk/hybrid boot is a desirable function, especially on a laptop. I recommend turning it off however.
Cheers
Last edit: peter pan 2016-08-19
Good find on that info, Peter. Makes sense. My laptop boots into Windows 10 quickly enough from a full reboot, so I may just disable fastboot as you suggest.
I have previously created a feature request to have VeraCrypt disable and/or warn the user when Fast Startup is enabled that you can vote-up at the link below.
https://veracrypt.codeplex.com/workitem/475
This limitation has been know for long time and it is documented (look the bottom of the page): https://veracrypt.codeplex.com/wikipage?title=Issues%20and%20Limitations
As Enigma2Illusion noted, there is already a request to add detection for Fast Boot and propose to disable it directly from VeraCrypt. I did not like implementing such approach in VeraCrypt but it looks like it is becoming more widespread and an actual security risk.
Thus, I will implement this feature in the next version.
I've resolved this issue by adding a task in Task Scheduler (taskschd.msc).
The task must be an umount command ("C:\Program Files\VeraCrypt\VeraCrypt.exe" /d /f /quit ).
And the trigger a registry event:
Registry: System
Source: User32
Event id: 1074
Using this configuration your veracrypt volumes are unmounted even with Fast Startup enabled.
PD: I've tried this solution only with file containers. I don't know if it works with system drives or partitions.