What's the state of FDE with software such as TrueCrypt, VeraCrypt for SSD's - my main concern being that SSD's leave some free space to prolong the life of the drive - would it store unencrypted data there, or is there some new way in which SSD's or the encryption software work that would guarantee there is no unencrypted data on the drive when using FDE?
Asked
Active
Viewed 1,460 times
1
-
Make another question for your second question. – Nate Aug 22 '16 at 15:19
-
BTW, non-SSD-aware FDE should not be used on SSDs as it will reduce the life-span of the disk. – billc.cn Aug 22 '16 at 15:39
2 Answers
2
Whether it is an HDD or SSD, FDE will not write unencrypted data to the drive.
However on an SSD, there are no guaranty that data that existed before the FDE install are securely erased. (unless you are destroying the drive)
Nate
- 411
- 3
- 9
-
OK. Just to make sure - does the SSD keep some free space for prolonging its lifespan (or whatever reason)? If so it will still write encrypted bits there, because it copies bits directly from the SSD (which are encrypted) not from the RAM (which contains unencrypted data). I remember that free space was a concern for possible leakage some years ago so just asking to make sure. – kat Aug 22 '16 at 16:37
-
Yep, the SSD might keep copies of what is written on itself. And it will not copy from RAM. – Nate Aug 22 '16 at 17:35
0
One security problem inherent to your question is regarding temporary disk space. If the application is writing intermediate files to the /tmp folder, and that folder is not on an encrypted drive, you would leak data regardless of where the final output is written. Similarly, if you have a swap file located on an unencrypted disk, pages of cleartext memory could be written to recoverable areas of a hard disk or flash drive.
The next question is about the FDE technology. Hardware based FDEs are vulnerable to attackers with physical access (evil maids, cold boot, etc.) This paper describes several types of attacks. Some attacks are SSD hardware specific (replacing the drive board), while others are more generic (DMA requests.)
Software based FDEs (VeraCrypt, etc.) are of course vulnerable to various hacking attacks (malware, keystroke loggers, ransomware, etc.) When you're logged on and using the drive, if the malware is present at the same time, the bad guys win.
They're all better than nothing, but don't rely on any as the one true perfect solution, as no such magical unicorn exists.
John Deters
- 33,650
- 3
- 57
- 110
-
Thanks! Does the first part of your answer apply to FDE - I mean if the whole drive is encrypted there shouldn't be anywhere to leak unencrypted data, considering all writes occur on that drive? As for Software based FDEs - does that imply that if the malware is OS-based, the bad guys can get the keys from the RAM cache and use it to decrypt the drive (because otherwise how would OS-based malware get access to the password I enter during boot)? – kat Aug 22 '16 at 16:33