TrueCrypt - Free Open-Source Disk Encryption - Documentation


	Introduction Beginner's Tutorial System Encryption Supported Systems Hidden Operating System Rescue Disk Plausible Deniability Hidden Volume Protection of Hidden Vol. Security Requirements Hidden Operating System Parallelization Pipelining Hardware Acceleration Encryption Algorithms AES Serpent Twofish Cascades Hash Algorithms RIPEMD-160 SHA-512 Whirlpool Technical Details Notation Encryption Scheme Modes of Operation Header Key Derivation Random Number Gen. Keyfiles Volume Format Spec. Standards Compliance Source Code TrueCrypt Volume Creating New Volumes Favorite Volumes System Favorite Volumes Main Program Window Program Menu Mounting Volumes Supported Systems Portable Mode Keyfiles Tokens & Smart Cards Language Packs Hot Keys Security Model Security Requirements Data Leaks Paging File Hibernation File Memory Dump Files Unencrypted Data in RAM Physical Security Malware Multi-User Environment Authenticity and Integrity New Passwords & Keyfiles Password/Keyfile Change Trim Operation Wear-Leveling Reallocated Sectors Defragmenting Journaling File Systems Volume Clones Additional Requirements Command Line Usage Backing Up Securely Miscellaneous Use Without Admin Rights Sharing over Network Background Task Removable Medium Vol. TrueCrypt System Files Removing Encryption Uninstalling TrueCrypt Digital Signatures Troubleshooting Incompatibilities Issues and Limitations License Future Development Acknowledgements Version History References

Security Requirements and Precautions > Unencrypted Data in RAM

Direct Link

Disclaimers

Please consider making a donation.

Donate Now >>

Unencrypted Data in RAM

It is important to note that TrueCrypt is disk encryption software, which encrypts only disks, not RAM (memory).

Keep in mind that most programs do not clear the memory area (buffers) in which they store unencrypted (portions of) files they load from a TrueCrypt volume. This means that after you exit such a program, unencrypted data it worked with may remain in memory (RAM) until the computer is turned off (and, according to some researchers, even for some time after the power is turned off*). Also note that if you open a file stored on a TrueCrypt volume, for example, in a text editor and then force dismount on the TrueCrypt volume, then the file will remain unencrypted in the area of memory (RAM) used by (allocated to) the text editor. This applies to forced auto-dismount too.

Inherently, unencrypted master keys have to be stored in RAM too. When a non-system TrueCrypt volume is dismounted, TrueCrypt erases its master keys (stored in RAM). When the computer is cleanly restarted (or cleanly shut down), all non-system TrueCrypt volumes are automatically dismounted and, thus, all master keys stored in RAM are erased by the TrueCrypt driver (except master keys for system partitions/drives — see below). However, when power supply is abruptly interrupted, when the computer is reset (not cleanly restarted), or when the system crashes, TrueCrypt naturally stops running and therefore cannot erase any keys or any other sensitive data. Furthermore, as Microsoft does not provide any appropriate API for handling hibernation and shutdown, master keys used for system encryption cannot be reliably (and are not) erased from RAM when the computer hibernates, is shut down or restarted.**

To summarize, TrueCrypt cannot and does not ensure that RAM contains no sensitive data (e.g. passwords, master keys, or decrypted data). Therefore, after each session in which you work with a TrueCrypt volume or in which an encrypted operating system is running, you must shut down (or, if the hibernation file is encrypted, hibernate) the computer and then leave it powered off for at least several minutes (the longer, the better) before turning it on again. This is required to clear the RAM.

* Allegedly, for 1.5-35 seconds under normal operating temperatures (26-44 °C) and up to several hours when the memory modules are cooled (when the computer is running) to very low temperatures (e.g. -50 °C). New types of memory modules allegedly exhibit a much shorter decay time (e.g. 1.5-2.5 seconds) than older types (as of 2008).
** Before a key can be erased from RAM, the corresponding TrueCrypt volume must be dismounted. For non-system volumes, this does not cause any problems. However, as Microsoft currently does not provide any appropriate API for handling the final phase of the system shutdown process, paging files located on encrypted system volumes that are dismounted during the system shutdown process may still contain valid swapped-out memory pages (including portions of Windows system files). This could cause 'blue screen' errors. Therefore, to prevent 'blue screen' errors, TrueCrypt does not dismount encrypted system volumes and consequently cannot clear the master keys of the system volumes when the system is shut down or restarted.

Next Section >>

Search • Legal Notices

www.truecrypt.org


			B r i e f S i t e m a p Information Homepage Frequently Asked Questions Planned Features News Downloads Latest Stable Release (Windows) Latest Stable Release (OS X) Latest Stable Release (Linux) Past Versions Public Key Additional Downloads Communication & Publicity Contact Page Forums News Public Key Miscellaneous Screenshots Search Statistics Legal Notices Links Complete Sitemap