REQ: random key pagefile encryption

Discussion in 'General Returnil discussions' started by MadMonkey, Jul 14, 2009.

Thread Status:
Not open for further replies.
  1. MadMonkey

    MadMonkey Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    30
    Assuming that neither the stable nor beta's have stopped using a returnil pagefile, even in RAM mode, consider taking a page from Vista's book and encrypt your pagefile with a strong one-time key.

    Adressing security concerns in a prior post, coldmoon mentioned an intent to start wiping the file from 2.0.1. Secure wiping takes time, I believe 7 overwrites is the current NSA standard and that still leaves traces.

    Encryption with a per session key however, is fast and, especially when coupled with a rapid randomization/corruption pass on shut down, provides good privacy.

    --

    In the mean time:
    where is this file?
    can it be relocated?
    if it can't, is it disabled by using the virtual partition option?
    -can this partition be encrypted?
    any suggestions about software which could do for the returnil page file or partition, what efs does for Vista's?
     
  2. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi :)

    We are investigating this as part of the solution for the cache wipe issue.

    Multiple wipes have been shown to be no more effective than a single pass random overwrite:

    https://www.wilderssecurity.com/showthread.php?t=230855&highlight=secure wipe

    For 2x, the file is located in C:\Returnil (Disk cache = RVSYSTEM.sys). The memory cache is internal to the program. The latter is also true for v3, but the new version uses dynamic caching so it may or may not exist as it depends on need, rather than being pre-determined as it is in 2x.

    Not yet but we are working on this as an essential step towards better SSD support for the system partition. In the LAB version, we are testing this with alternate partition cloning where the cache can be configured on another alternate partition (Clone data drive D:\ and place the cache on drive E:\ for example).

    This will not be added to 3.0 as it still needs more testing and there are more pressing development priorities to get through first. Look for this in a future 3x version as we go forward.

    No, The Virtual Partition (2x/LAB) or the Virtual Disk (3x) ais a simple convenience to store files and data changes if the user does not have access to an alternate drive (Ex: computer has a single "C:\" partition)

    I have not specifically tested this so would caution you to try it in a VM first. In theory however, you should not need to do this as the VP/VD cannot be accessed by anything other than RVS when dismounted. Further, only an administrator can write to the root of the VP/VD.

    2x/3x already include a cache wipe feature. When mounted, you can delete or wipe anything inside the VP/VD as you would any other drive or partition. Make sure you are an admin to do this. You can also defragment the contents of the VP/VD. When dismounted however, the VP/VD is just a big, empty file that may appear to be fragmented when using third party defragmentation solutions.

    Mike
     
  3. MadMonkey

    MadMonkey Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    30
    Thank you for replying so quickly and fully.

    To sum up:
    1) Random encryption is being considered to secure RVSYSTEM.sys, but it'll likely be a while. Not with the 3.0 RC.
    2) In RAM and Virtual Disk aren't two different modes like A or B, but more like A and A+. Virtual Disk is In RAM, plus a Virtual Disk (presumably to isolate data from the reset on reboot.)

    Correct?

    Two follow-up questions:
    1) Is disk writing limited to RVSYSTEM.sys when Returnil is on? Only Returnil writes to disk and only to RVSYSTEM.sys?
    2) Does Returnil, upon reboot, treat RVSYSTEM.sys as an empty file? Would it matter to Returnil if it were full of rubble?
     
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    This is only a part of what we are looking at. Further, the use of .sys will be revised at some point as the file type carries some inconvenient "baggage".

    In 2x, they are A and B. In 3x they are combined into A+ as the cache is dynamic rather than pre-configured/static. So what is needed is used rather than preset as it is in 2x.

    RVS is not a file filter. All programs, including Windows write to the cache rather than the real disk unless you have configured your programs to write to an alternate disk (Ex: Program drives and data drives). When using Disk caching, RVSYSTEM.sys is where the changes are kept until a restart with protection turned on. Memory works with RAM and an internal program cache (IOW, there is no RVSYSTEM.sys file when using Memory caching).

    No, RVS just starts over at the beginning and overwrites what is there whether it is random junk (wipe activated) or data from the previous virtual session.
     
  5. MadMonkey

    MadMonkey Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    30
    I'm somewhat confused. Maybe the posts I've been reading were older than I thought.

    Doesn't Memory caching also use a pagefile? Are there no hard-disk writes with Memory caching on?
     
  6. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    There are HDD writes but the cache is inside RVS rather than external as is the case with the disk cache method.
     
  7. MadMonkey

    MadMonkey Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    30
Thread Status:
Not open for further replies.