Operation Manual
91
Security Requirements and Precautions
The sections in this chapter specify security requirements for using VeraCrypt and give information
about things that adversely affect or limit the ability of VeraCrypt to secure data and to provide
plausible deniability. Disclaimer: This chapter is not guaranteed to contain a list of all security
issues and attacks that might adversely affect or limit the ability of VeraCrypt to secure data and to
provide plausible deniability.
Data Leaks
When a VeraCrypt volume is mounted, the operating system and third-party applications may write
to unencrypted volumes (typically, to the unencrypted system volume) unencrypted information
about the data stored in the VeraCrypt volume (e.g. filenames and locations of recently accessed
files, databases created by file indexing tools, etc.), or the data itself in an unencrypted form
(temporary files, etc.), or unencrypted information about the filesystem residing in the VeraCrypt
volume. Note that Windows automatically records large amounts of potentially sensitive data, such
as the names and locations of files you open, applications you run, etc.
Also, starting from Windows 8, every time a VeraCrypt volume that is formatted using NTFS is
mounted, an Event 98 is written for the system Events Log and it will contain the device name
(\\device\VeraCryptVolumeXX) of the volume. This event log "feature" was introduced in
Windows 8 as part of newly introduced NTFS health checks as explained here. To avoid this
leak, the VeraCrypt volume must be mounted as a removable medium. Big thanks to Liran
Elharar for discovering this leak and its workaround.
In order to prevent data leaks, you must follow these steps (alternative steps may exist):
If you do not need plausible deniability:
o
Encrypt the system partition/drive (for information on how to do so, see the chapter
System Encryption) and ensure that only encrypted or read-only filesystems are
mounted during each session in which you work with sensitive data.
or,
o
If you cannot do the above, download or create a "live CD" version of your operating
system (i.e. a "live" system entirely stored on and booted from a CD/DVD) that
ensures that any data written to the system volume is written to a RAM disk. When
you need to work with sensitive data, boot such a live CD/DVD and ensure that only
encrypted and/or read-only filesystems are mounted during the session.
If you need plausible deniability:
o
Create a hidden operating system. VeraCrypt will provide automatic data leak
protection. For more information, see the section Hidden Operating System.
or,
o If you cannot do the above, download or create a "live CD" version of your operating
system (i.e. a "live" system entirely stored on and booted from a CD/DVD) that
ensures that any data written to the system volume is written to a RAM disk. When
IMPORTANT: If you want to use VeraCrypt, you must follow the security requirements and
security precautions listed in this chapter.