Windows 10 "fast startup" option and Truecrypt security

Discussion in 'privacy technology' started by Squeller, Sep 12, 2015.

  1. Squeller

    Squeller Registered Member

    Joined:
    Sep 13, 2008
    Posts:
    20
    Hi guys,

    in Windows 10 I am under the impression, volume IDs (from "mountvol" command) and also the Truecrypt internal drive names (\harddisk0\partition1\..) are permanently scrambled. Not sure yet.

    Now Windows 10 has a fast startup mode which seems to be some kind of standard boot and hibernate hybrid. This way, TC drives stay mounted, which is a workaround to above problem.

    Is this a security disaster? I think, the stuff (encryption keys) that truecrypts holds in RAM are written to SSD then. I also think TC would not have clear text passwords in RAM...?

    Let's say the attacker is... you. Or another geek. Not superduper NSA with quantum computers. Is using that hibernation thing a problem then?

    I'm struggling between usability and security. I can not have my wife to mount TC drives manually, that's the thing.

    Thx

    EDIT: Fast startup, as described here: http://www.tenforums.com/tutorials/4189-fast-startup-turn-off-windows-10-a.html
     
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    I think that approach is a problem. The keys will necessarily be in the virtual ram. And all it takes for them to be exposed is for one person to figure out the way to search it, and you'll be toast. The only protection that might work there is if the system protected the disk information in the fast startup with bitlocker with TPM/Pin - is that the scenario?
    Something I sometimes do in this kind of circumstance is to have a batch file under the user account which opens the TC container when the account logs in. The batch file contains the password in clear, but, provided you have W10 Pro, it can be protected with EFS, and only accessible to that account. Of course, if the account is compromised then that information is open, but that's true anyway if the TC container is mounted when logged in - all the information is accessible anyway.
     
  3. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    I would be interested in hearing what the difference in speed is between an "normal" start and fast start. I run a very basic family 10 Pro, but on a healthy horsepower machine, and my start times are decent. I rarely use Win 10 since most of the time I am on linux. That means either start scenario (for my circumstance) requires updating the defender file database. That is much more time consuming than anything start related. I could easily shut down windows defender but I am running that one simple machine as a typical family user, just to watch 10 Pro over time. Nothing needing security every happens on it.
     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    When I had system on HDD fast start was noticeably quicker. Now on SSD, I have it disabled as difference in speed is minimal.
     
  5. Squeller

    Squeller Registered Member

    Joined:
    Sep 13, 2008
    Posts:
    20
    Palancar, I just know, it's a kind of hybrid hibernate/standby/shutdown thing. Windows does not unlock file systems in that mode. E.g. if you boot into another windows and then back to 10, it will detect a corupt file system and try to repair it. I read something about a "dirty bit".
    Yeah, on SSD it is negligible, about 7 vs. 9 seconds boot time(*), it's just for the convenience of $wife not having to enter a TC password too often.

    *Windows until user login. My BIOS: ~25 seconds, with AHCI controller... :(
     
  6. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,402
    I do get it Squeller. It gets frustrating having to tell my spouse the password every time they want to sign on. Not even a tough password either. I only use TC on the windows OS to keep it from doing anything "suspicious" while I am using Linux from inside a different partition.

    Thank you guys for the feedback.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.