Is the Windows paging file safe in the encrypted partition?

1

I came across this setting called ClearPageFileAtShutdown. The setting is described here and says:

If you are truly worried about security, boot Windows off a fully-encrypted drive. Then you needn't worry about your sensitive data being unencrypted in the paging file.

Basically, it implies that the paging file, even if it resides in an encrypted partition, is not safe--the drive must be fully encrypted for it to be safe.

Is this true? How would the paging file (or any file in general) "leak" out of the encrypted partition where it resides? My understanding is that data in memory is stored on RAM and if RAM is full, it is stored in the paging file on the encrypted partition that I specified the paging file to be in--I don't see how this data can be exposed (unencrypted).

This topic is particularly important to me because I dualboot Windows and Linux and I encrypt the former with Veracrypt and the latter with dm-crypt on an SSD--the remaining space is unencrypted unallocated data (which as far as I'm concerned, is not a security issue but based on the article above, it is).

Thanks.

Iteration

Posted 2016-01-24T16:58:41.087

Reputation: 23

It appears to say that a page file on an encrypted partition is safe, according to your own quote... at least as safe as the encrypted partition. As long as you're not keeping the passphrase on disk and auto-mounting it at boot – Xen2050 – 2016-01-25T07:03:45.820

Note: this was crossposted at Information Security Stack Exchange site.

– Suma – 2019-10-04T06:57:24.010

Answers

2

You are correct that if your pagefile is on an encrypted volume or drive, the pagefile will be encrypted along with everything else. Whole-volume and whole-drive encryption works at a low level in the storage stack where the entire "file" concept does not exist (just like to the drive itself), so it would be quite difficult for an exception to be made for certain files (not impossible, but I don't know why anyone would bother).

Your interpretation of the warning is incorrect. It should be read as

Then you needn't worry about your sensitive data being unencrypted in the paging file, as it would be if you didn't use whole-volume or whole-drive encryption.

(italic text added by me, of course)

What they're warning about is that even if you use the "clear pagefile at shutdown" option, if someone manages to power off your machine and make off with your drive, the pagefile contents won't have been wiped (because the normal shutdown procedures were bypassed).

Jamie Hanrahan

Posted 2016-01-24T16:58:41.087

Reputation: 19 777

Your italic text is what I don't get--data is either in memory or in paging file. If computer is shut off, things in memory are obviously gone but things in the paging file are encrypted if it resides in an encrypted partition (which is the scenario I've described). – Iteration – 2016-01-25T18:20:11.193

@Iteration Yes, that is correct. What don't you get? (btw, it is possible for data to be both in the pagefile and in RAM (on the standby page list), but this doesn't affect the issue here.) – Jamie Hanrahan – 2016-01-25T18:35:58.023

The explanation I got here makes sense to me. Is that explanation what you and the article meant and I am simply getting confused by all the terminology? Do you understand where I got confused? Basically the article said "fully-encrypted drive" and I took that to mean that the entire SSD is encrypted. Essentially if I just encrypt the Windows partition I am fine, even if I don't enable ClearPageFileAtShutdown because the data in the pagefile will be encrypted.Sorry for my confusion.

– Iteration – 2016-01-25T20:35:52.857

@Iteration Yes, you are correct. – Jamie Hanrahan – 2016-01-25T21:20:30.320

Asked: 2016-01-24T16:58:41.087

Viewed: 271 times

Active: 2016-01-25T12:44:26.967