Operation Manual
94
Unencrypted Data in RAM
It is important to note that VeraCrypt is disk encryption software, which encrypts only disks, not
RAM (memory).
Keep in mind that most programs do not clear the memory area (buffers) in which they store
unencrypted (portions of) files they load from a VeraCrypt volume. This means that after you exit
such a program, unencrypted data it worked with may remain in memory (RAM) until the computer
is turned off (and, according to some researchers, even for some time after the power is turned
off
*
). Also note that if you open a file stored on a VeraCrypt volume, for example, in a text editor
and then force dismount on the VeraCrypt volume, then the file will remain unencrypted in the area
of memory (RAM) used by (allocated to) the text editor. This also applies to forced auto-dismount.
Inherently, unencrypted master keys have to be stored in RAM too. When a non-system VeraCrypt
volume is dismounted, VeraCrypt erases its master keys (stored in RAM). When the computer is
cleanly restarted (or cleanly shut down), all non-system VeraCrypt volumes are automatically
dismounted and, thus, all master keys stored in RAM are erased by the VeraCrypt driver (except
master keys for system partitions/drives — see below). However, when power supply is abruptly
interrupted, when the computer is reset (not cleanly restarted), or when the system crashes,
VeraCrypt naturally stops running and therefore cannot erase any keys or any other sensitive
data. Furthermore, as Microsoft does not provide any appropriate API for handling hibernation and
shutdown, master keys used for system encryption cannot be reliably (and are not) erased from
RAM when a computer hibernates, is shut down or restarted.
†
Physical Security
If an attacker can physically access the computer hardware and you use it after the attacker has
physically accessed it, then VeraCrypt may become unable to secure data on the computer.
‡
This
is because the attacker may modify the hardware or attach a malicious hardware component to it
(such as a hardware keystroke logger) that will capture the password or encryption key (e.g., when
you mount a VeraCrypt volume) or otherwise compromise the security of the computer. Therefore,
*
Allegedly, for 1.5–35 seconds under normal operating temperatures (26–44 °C) and up to several hours when the
memory modules are cooled (when the computer is running) to very low temperatures (e.g. –50 °C). New types of
memory modules allegedly exhibit a much shorter decay time (e.g. 1.5–2.5 seconds) than older types (as of 2008).
†
Before a key can be erased from RAM, the corresponding VeraCrypt volume must be dismounted. For non-system
volumes, this does not cause any problems. However, as Microsoft currently does not provide any appropriate API for
handling the final phase of the system shutdown process, paging files located on encrypted system volumes that are
dismounted during the system shutdown process may still contain valid swapped-out memory pages (including portions
of Windows system files). This could cause 'blue screen' errors. Therefore, to prevent 'blue screen' errors, VeraCrypt
does not dismount encrypted system volumes and consequently cannot clear the master keys of the system volumes
when the system is shut down or restarted.
‡
In this section (Physical Security), the phrase “data on the computer” means data on internal and external storage
devices/media (including removable devices and network drives) connected to the computer.
To summarize, VeraCrypt cannot and does not ensure that RAM contains no sensitive data
(e.g. passwords, master keys, or decrypted data). Therefore, after each session in which you
work with a VeraCrypt volume or in which an encrypted operating system is running, you must
shut down (or, if the hibernation file is encrypted, hibernate) the computer and then leave it
powered off for at least several minutes (the longer, the better) before turning it on again. This
is required to clear the RAM (see also the section Hibernation File).