Questions Truecrypt

[WYC999]

Hi everyone,

I'm more a beginner in encryption and googling and reading all day about true crypt.

My questions that google didn't know is this:

In my Trucrypt-settings I have checked "disconnect when change to Stand-by" (i translated this from the german version)

1. Does anyone now know if the masterpassword is still in the RAM since Truecrypt knows that i want it to disconnect? Would be a security concern since i carry my laptop around in Stand-by...
2. If i encrypt a Partition on hardive is that one big "file" from the harddisk perspective or are only the files on that drive encrypted and there is empty space between?
3. Any experiences with: If windows is forced to shut down by the Taskplaner and the drives are NOT unmounted. Is it save to say that all file are still encrypted?
   

hope for your ideas...

[Warlockz]

I think this will answer your first Question

Quote:

Unencrypted Data in RAM

It is important to note that TrueCrypt is disk encryption software, which encrypts only disks, not RAM (memory).

Keep in mind that most programs do not clear the memory area (buffers) in which they store unencrypted (portions of) files they load from a TrueCrypt volume. This means that after you exit such a program, unencrypted data it worked with may remain in memory (RAM) until the computer is turned off (and, according to some researchers, even for some time after the power is turned off*). Also note that if you open a file stored on a TrueCrypt volume, for example, in a text editor and then force dismount on the TrueCrypt volume, then the file will remain unencrypted in the area of memory (RAM) used by (allocated to) the text editor. This applies to forced auto-dismount too.

Quote:

Inherently, unencrypted master keys have to be stored in RAM too. When a non-system TrueCrypt volume is dismounted, TrueCrypt erases its master keys (stored in RAM). When the computer is cleanly restarted (or cleanly shut down), all non-system TrueCrypt volumes are automatically dismounted and, thus, all master keys stored in RAM are erased by the TrueCrypt driver (except master keys for system partitions/drives — see below). However, when power supply is abruptly interrupted, when the computer is reset (not cleanly restarted), or when the system crashes, TrueCrypt naturally stops running and therefore cannot erase any keys or any other sensitive data. Furthermore, as Microsoft does not provide any appropriate API for handling hibernation and shutdown, master keys used for system encryption cannot be reliably (and are not) erased from RAM when a computer hibernates, is shut down or restarted.........Please see link to read the rest..

http://www.truecrypt.org/docs/unencrypted-data-in-ram

[Technical]

Quote:

Originally Posted by WYC999

Hi everyone,[*] Any experiences with: If windows is forced to shut down by the Taskplaner and the drives are NOT unmounted. Is it save to say that all file are still encrypted?
hope for your ideas...

The files themselves are kept encrypted.
The problem will be information in RAM like said before.

[Warlockz]

This link "Security Requirements and Precautions" Basicly covers all of the Truecrypt security related questions for which people are seeking answers

[WYC999]

Sorry for answering so late - had a lot to do in the last days. BUT i worked through the links you gave me - and that was really interesting stuff!

I for myself came after quite some time of reading/thinking to 3 conclusions that might interesting for someone new to this topic:

1. If you travel with your Notebook or you leave in your hotelroom you are only 100% secure if you switch it physically off.
2. If your computer went to hibernation you should take the next time the time replace to Hiberfil.sys with a new emtpy one. This is in my Opinion very important. If your computer goes to Hibernation with your drives mounted, it means your masterpasswort is saved to harddisk and stays there forever. So all the wonderful calculations how many trillion years it takes to brute force your intelligent passwort are just totally worthless if you have a file saved on your disk form which your passwort can be extracted. For me this was quite shocking to find out. And it made me wonder why on earth in all that X that Laptops and Windows Hibernation exists no one ever came to that idea...
3. After all Truecrypt is not the problem here - The RAM that stores portions of documents/passwords (any program) and the windows feature of Hibernation are the problem.

[Warlockz]

I have heard that with some laptops people had to physically remove the battery to delete the contents of their ram. you may want to check your laptop to see if it may have the same issue?

You should completely disable Hibernation wile using Encryption Period.

If I was you I would Switch to DriveCryptor for WholeDiskEncryption.