1

I came across this setting called ClearPageFileAtShutdown. The setting is described here and says:

If you are truly worried about security, boot Windows off a fully-encrypted drive. Then you needn't worry about your sensitive data being unencrypted in the paging file.

Basically, it implies that the paging file, even if it resides in an encrypted partition, is not safe--the drive must be fully encrypted for it to be safe.

Is this true? How would the paging file (or any file in general) "leak" out of the encrypted partition where it resides? My understanding is that data in memory is stored on RAM and if RAM is full, it is stored in the paging file on the encrypted partition that I specified the paging file to be in--I don't see how this data can be exposed (unencrypted).

This topic is particularly important to me because I dualboot Windows and Linux and I encrypt the former with Veracrypt and the latter with dm-crypt on an SSD--the remaining space is unencrypted unallocated data (which as far as I'm concerned, is not a security issue but based on the article above, it is).

Thanks.

Iteration
  • 23
  • 5
  • It appears to say that a page file on an encrypted partition *is* safe, according to your own quote... at least as safe as the encrypted partition. As long as you're not keeping the passphrase on disk and auto-mounting it at boot – Xen2050 Jan 25 '16 at 07:03
  • Note: this was crossposted at [Information Security](https://security.stackexchange.com/questions/111684/is-the-windows-paging-file-safe-in-the-encrypted-partition) Stack Exchange site. – Suma Oct 04 '19 at 06:57

1 Answers1

2

You are correct that if your pagefile is on an encrypted volume or drive, the pagefile will be encrypted along with everything else. Whole-volume and whole-drive encryption works at a low level in the storage stack where the entire "file" concept does not exist (just like to the drive itself), so it would be quite difficult for an exception to be made for certain files (not impossible, but I don't know why anyone would bother).

Your interpretation of the warning is incorrect. It should be read as

Then you needn't worry about your sensitive data being unencrypted in the paging file, as it would be if you didn't use whole-volume or whole-drive encryption.

(italic text added by me, of course)

What they're warning about is that even if you use the "clear pagefile at shutdown" option, if someone manages to power off your machine and make off with your drive, the pagefile contents won't have been wiped (because the normal shutdown procedures were bypassed).

Jamie Hanrahan
  • 23,140
  • 6
  • 63
  • 92
  • Your italic text is what I don't get--data is either in memory or in paging file. If computer is shut off, things in memory are obviously gone but things in the paging file are encrypted if it resides in an encrypted partition (which is the scenario I've described). – Iteration Jan 25 '16 at 18:20
  • @Iteration Yes, that is correct. What don't you get? (btw, it is possible for data to be _both_ in the pagefile and in RAM (on the standby page list), but this doesn't affect the issue here.) – Jamie Hanrahan Jan 25 '16 at 18:35
  • The explanation I got [here](http://security.stackexchange.com/questions/111684/is-the-windows-paging-file-safe-in-the-encrypted-partition) makes sense to me. Is that explanation what you and the article meant and I am simply getting confused by all the terminology? Do you understand where I got confused? Basically the article said "fully-encrypted drive" and I took that to mean that the entire SSD is encrypted. Essentially if I just encrypt the Windows partition I am fine, even if I don't enable ClearPageFileAtShutdown because the data in the pagefile will be encrypted.Sorry for my confusion. – Iteration Jan 25 '16 at 20:35
  • @Iteration Yes, you are correct. – Jamie Hanrahan Jan 25 '16 at 21:20