-1

After reading an article from a forensics software company. I'm worried about attacks that may be able to recovery the OTFE(on-the-fly encryption) key of VeraCrypt from RAM.

Thereat model:

  • On Windows, a signed spyware running elevated is able to access RAM or page file.
  • It tries to locate the OTFE key during or after a VeraCrypt volume is mounted.

Question:

  • Is there anyway to prevent the key from being accessed while it's in RAM ?
  • Does the key remain in RAM after the volume is dismounted ?

Thanks in advance.

7E10FC9A
  • 101
  • 2

2 Answers2

0

  1. Maybe. The latest VeraCrypt version includes RAM encryption. It's not bulletproof, but it's at least way better than not having the RAM encrypted. Source

  2. No. If the computer is turned off or the colume is dismounted correctly, the key should be cleared from RAM. It's a sudden power-off you should worry about. Or an attacker grabbing your computer while it's still powered on.

laddmeister
  • 26
  • 3
0

You didn't think your threat model through. If spyware is elevated enough to read arbitrary kernel memory, then it can just steal your personal data directly, since it's decrypted already if the key is in RAM, without needing to bother stealing the key or even doing anything differently than if you weren't using encryption. You should instead worry about how to make sure spyware doesn't end up running in an elevated context.

Joseph Sible-Reinstate Monica
  • 7,110
  • 3
  • 21
  • 35