5

I came across this setting called ClearPageFileAtShutdown. The setting is described here and says:

If you are truly worried about security, boot Windows off a fully-encrypted drive. Then you needn't worry about your sensitive data being unencrypted in the paging file.

Basically, it implies that the paging file, even if it resides in an encrypted partition, is not safe--the drive must be fully encrypted for it to be safe. Why?

My understanding is that data is either stored in memory (which will be gone if no power is out regardless of whether a proper shutdown was initiated) or resides in the paging file of an encrypted Windows partition (which is obviously decrypted when system is in use but is encrypted otherwise?).

This topic is particularly important to me because I dualboot Windows and Linux and I encrypt the former with Veracrypt and the latter with dm-crypt on an SSD--the remaining space is unencrypted unallocated data (which as far as I'm concerned, is not a security issue but based on the article above, it is).

In addition,

Even if you use encryption to protect sensitive data on the hard disk drive, the encryption key (and decrypted data you are accessing) would be stored in the computer's memory. Windows will automatically map out some of these data to the paging file, which remains unencrypted even when Windows shuts down.

Again, how is the paging file unencrypted when Windows is shut down if it resides in the encrypted Windows partition by default? Why is it necessary that the entire drive is fully encrypted and not just simply the Windows partition?

Thanks.

Iteration
  • 73
  • 1
  • 5
  • 3
    You can instruct Windows to encrypt the paging file: `fsutil behavior set EncryptPagingFile 1` – Ian Boyd Apr 19 '18 at 15:04
  • Note: this was crossposted at [SuperUser](https://superuser.com/questions/1030711/is-the-windows-paging-file-safe-in-the-encrypted-partition) Stack Exchange site. – Suma Oct 04 '19 at 06:58

1 Answers1

4

Microsoft (among many others) uses somewhat confusing terminology at times. In this case, "drive" is used in the sense of "drive letter". This is distinct from a "disk", which is a physical storage device. A drive's data may be stored on a physical partition, but the storage location for a "drive" is most properly called a "volume". It might be one partition, or multiple partitions (spanned, or striped, or RAID5, or whatever), or a CD-ROM, or an image file mounted from some other storage device... you get the idea. "Drive" does not refer to the entire disk; even on things like SD cards (where there's usually only one volume per physical "disk"), the disk metadata is outside of the logical volume that gets mounted and assigned a drive letter.

To directly answer the question, if your paging file is stored on an encrypted partition (which is typically your C: drive, and encrypted via something like BitLocker or TrueCrypt/CipherShed/whatever), you're fine. Well, as fine as the encryption on the partition is, but the important point is that sufficiently good whole-volume encryption is fine; you don't actually have to encrypt literally the whole disk.

The distinction Microsoft is making is between full-volume encryption (stuff like BitLocker) and more granular encryption (such as file encryption via Encrypting File System, encrypted ZIP archives, data encrypted with PGP, and so on). BitLocker is usually referred to (by MS) with either the abbreviation FVE (for "Full Volume Encryption", as in fveapi.dll or fveprompt.exe), or the abbreviation BDE (for "BitLocker Drive Encryption", as in manage-bde.exe).

CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • Would you say "drive", "partition", and "volume" are all synonyms if disk refers to the entire physical drive? Also, based on the information, I can conclude that *not enabling* `ClearPageFileAtShutdown` is as safe as enabling it if I can rely the system partition encryption to ensure pagefiles are encrypted, right? I am asking this because I've read that I can save significant writes and decrease boot time by enabling this setting. I don't see a scenario where those who encrypt their system partition would not want to use this setting ever. Thank you once again. – Iteration Jan 25 '16 at 20:46
  • Not exactly synonyms, but they *can* refer to the same thing. A *partition* is a physical, contiguous range of storage. A *volume* is a *logical* (that is, what the OS treats as "real", unrelated to physical reality) contiguous range of storage; it may span multiple physical partitions or come from an image file stored on another drive. A *drive* is just a mounted *volume* with a root name identified by a letter. If a volume consists of exactly one partition and is mounted, then the drive, the volume, and the partition all refer to the same data, but they aren't quite the same thing. – CBHacking Jan 25 '16 at 20:55
  • 1
    However, your conclusion is correct. `ClearPageFileAtShutdown` is not needed if your pagefile is on an encrypted partition, such as a system drive with BitLocker enabled. Technically, enabling it anyway could provide some defense in depth. If you have, say, an encrypted ZIP archive on your encrypted drive, and the BitLocker encryption is cracked or bypassed, the ZIP encryption could still protect the archive's data... but if the pagefile holds the key or plaintext data from the archive, the attacker could access that if the pagefile wasn't wiped. Pretty contrived scenario, though! – CBHacking Jan 25 '16 at 20:59