Swap File Encryption when to use it?

Discussion in 'privacy technology' started by demoneye, Jun 23, 2011.

Thread Status:
Not open for further replies.
  1. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    hi all

    according to my reading i understand using "Swap File Encryption " happen automatically when encrypted a full hd.

    so if i use a container only , is it necessary to encrypt my swap file also?!
    i am asking it coz its look weird in BESTCRYPT software , u can encrypt the swap or decrypt with out password needed .. why is that ? i mean if i want to gain access to the swap file i can enter bestcrypt control panel , disable the swap file encryption , restart PC and GAIN a full access to it:doubt: so what the point o_O?
     
  2. x942

    x942 Guest

    Are you using FDE? If so the file is already encrypted as the entire HDD is encrypted. What it is doing is either encrypting it again or enabling windows built in protection (assuming your on windows). From what you posted I don't think you need that enabled; it shouldn't matter with FDE.
     
  3. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell

    no i am not using FDE as i said , i use ONLY containers with my important files in it .

    what i dont get is , why there are solutions like in bestcrypt to encrypt the swap file without password , so anyone who gain access to your pc (like law enforcers for extreme example) can deactivate it easily...o_O
     
  4. x942

    x942 Guest

    Not sure. It could be similar to windows and encrypt it based on user information but still easily disabled. Hopefully someone more familiar with best crypt can help out :thumb:
     
  5. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    If you got a lot of ram you can put your page file on a ram drive. Which means when the pc reboots its gone.
     
  6. hugsy

    hugsy Registered Member

    Joined:
    May 22, 2010
    Posts:
    167
    Disable swap file, use only RAM. If it doesn't exist, they can't get it
     
  7. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    sure man but what i cant get is why bestcrypt and also windows 7 / vista offer a none password option to encode / decode the swap file ? what the use of the if any oce can revers it back to decrypted mode o_O
     
  8. x942

    x942 Guest

    I assume it is to prevent an attacker from using a virus or Trojan from stealing it remotely and attempting to analyze it with out being on the physical computer. Either that or it's to be used with FDE.
     
  9. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    you can't disable it. it will always be there even if you got 20tb ram and put the pagefile to 0
     
  10. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell
    what do u mean by saying "it will always be there" ? by what size if u totally disable it?

    anyway according to true crypt documentation it can be disabled

    http://www.truecrypt.org/docs/?s=paging-file


    cheers :D
     
  11. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    Ok. Disable it. Then see if it is still there. Remember the pagefile is not there only to help out when your low on ram.

    For one you will disable your crash dumps as well.
    Windows page the applications that's minimized not the ones in use.
    Also applications don't see ram. Only virtually memory. They ask for a parking space and windows tells them what lanes they can use to park in. So its a reserved afair. Window won't use the hdd as actual ram it uses it as a cache. Rather put it on a ram drive. When you reboot or switch of the pc its gone.
     
  12. traxx75

    traxx75 Registered Member

    Joined:
    Jun 23, 2008
    Posts:
    106
    The swap file encryption module uses a low-level driver to encrypt all data that is read/write from your swap file. A random key is generated when your system is booted and is valid only until the current Windows session ends (ie. power off or reboot). It would not be beneficial to anyone to turn off encryption and reboot because the data will still be useless.

    On a related note, if someone has enough access to your PC to turn off swap file encryption then you have bigger problems to worry about than your swap file :D

    In my experience, this can be a bit problematic. The page file is initialized very early on in the boot sequence and a lot of RAM drive software will not have loaded their drivers yet. Windows will then write a pagefile back to the system drive because it assumes the RAM drive no longer exists. Perhaps this has been improved since I last tested this, though :)

    This is one thing people constantly forget and often under-estimate how much RAM Windows needs. Some applications actually expect there to be a page file at all times and perform poorly (or crash) if it does not exist.
     
  13. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    It has changed thanks SDDs and their junk pile up issues
    http://www.superspeed.com/download/trialversions.php
    System Properties->Advanced" tab and select the "Settings->erformance Options", there, go to "Advanced"tab and select the "Change" in the virtual memory area
    "Virtual Memory" setting page, there, just click on the RAMdisk drive, and select the appropriate amount of Paging Files space (around 256MB is adviseable ) and click "Set". It is adviseable to dismount/disable any Paging Files on your HDD prior to this RAMdisk setting.
     
  14. x942

    x942 Guest

    I believe you can (linux only?) redirect/symlink the pagefile to a RAM disk. All you do is create a container in RAM and mount it and tell linux to use it as swap or windows (if possible) to store the page file there. Make it encrypted that with a random key (from /dev/urandom) and no one will ever get it :)
     
  15. CasperFace

    CasperFace Registered Member

    Joined:
    Jul 31, 2010
    Posts:
    200
    Actually, you can. Just set Virtual Memory settings to "No paging file" and the delete/erase the pagefile.sys file completely. If you do it properly, it won't re-spawn.

    I used to have the pagefile on a RAM drive for a while also, but decided to get rid of it altogether after upgrading my RAM beyond 4 GB. When in doubt, you can just check the 'last modified' timestamp to see if Windows is actually paging or not... and if not, then you might as well just get rid of it.

    In fact, I've been fine with NO page file for years. On rare occasions I'll get a "low memory" warning, but that's only if I have too many memory-hogging applications open at one time. So yeah... if you have plenty of RAM, don't even bother with trying to encrypt the swap file... do as others have suggested and just disable it altogether.
     
  16. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    what are you using XP?
     
  17. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    Hi Demoneye, to give a quick and easy answer to your question:
    (I have Bestcrypt)

    If after the next time you restart your computer, you disable swap file encryption, this will not decrypt your previous, older swap file.

    If you disable swap file encryption after restarting your computer, all that will happen is that the new swapfile will be unencrypted.

    The Swap file does not need to be permanently encrypted all the time - it only needs to be encrypted while you are viewing private information or working with secret files, and until you reboot again.

    The information in the Swap file or Paging file you are using is related only to the files or information your computer is currently working with, until the next time you restart your computer. So the swap file needs to be encrypted while your computer is working with private or secret stuff, until the next time you restart your computer.

    You get a new swap file every time you re-start your computer, and old encrypted swap files stay encrypted, remain encrypted.

    BestCrypt cannot decrypt old encrypted swap files, because the "password" it generates is different for each new swap file, and because it "forgets" the older "passwords" (actually randomly generated encryption keys) it used for previous, older, swap files.
     
  18. Pryvate

    Pryvate Registered Member

    Joined:
    Jun 24, 2011
    Posts:
    56
    Because Bestcrypt has already "forgotten" the key it used to encrypt the swap file with. (For Demoneye).
     
  19. CasperFace

    CasperFace Registered Member

    Joined:
    Jul 31, 2010
    Posts:
    200
    Yes. :)
     
  20. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    aah ok. win 7 /64bit no swap file = Crash Boom Bang
     
  21. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Just to make sure that I understand this correctly...swap files are used temporarily while a computer is performing some tasks. But when you restart, they are gone with no personal information stored. Is this correct?
     
  22. CasperFace

    CasperFace Registered Member

    Joined:
    Jul 31, 2010
    Posts:
    200
    Not exactly. Swap file is virtual memory that is used by Windows as a last resort for when you are running low on RAM. When you restart, your RAM gets flushed, but the contents of the swap file remains, since the swap file resides on your physical disk by default. If you use a forensics tool or even a plain text editor, you can usually find lots of personal data left over from your last session(s) residing in the swap file. So basically, your options are:

    a) Disable swap file permanently (only if you have plenty of RAM and if your operating system allows you to do so).

    b) Move the location of the swap file to a RAM drive (virtual disk) so that it self-destructs on every shutdown/restart.

    c) Use full system encryption.

    d) Configure Windows (or use a 3rd party software) to wipe contents of swap file on shutdown. Keep in mind that paging files are usually quite large (up to several GB) so this may be prohibitively time-consuming.

    As others have suggested, I suppose you could use a program to encrypt just the page file by itself, but given the alternatives I don't think it's really an optimal solution.
     
  23. demoneye

    demoneye Registered Member

    Joined:
    Dec 30, 2007
    Posts:
    1,356
    Location:
    ISRHell

    how you do that? any Recommendation for good software ??

    10x :D


    BTW

    i found this way ...can it be confirmed as secure and safe?

    http://www.hacker10.com/computer-security/how-to-encrypt-and-clear-windows-page-file/
     
  24. CasperFace

    CasperFace Registered Member

    Joined:
    Jul 31, 2010
    Posts:
    200
    For the first suggestion, I would recommend either SuperSpeed RamDisk or DataRam RAMDisk. Just set up your RAM drive, then go to Control Panel > System > Advanced > Performance > Settings > Advanced > Virtual memory > Change, move the location of your swap file to the new drive letter, reboot, then erase the old pagefile.sys file from %homedrive%.

    As for the tutorial link, I suppose the Windows-based method of encrypting and/or clearing the swap file would be fine against casual snoops, but a stronger adversary would surely be able to defeat it. That's why it's better if you disable your swap file or move it to a RAM drive instead, so the data never gets written to the physical disk in the first place. Much better security that way. :)
     
  25. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Okay then so the pagefile system is an area designated on the hard drive to use when all of the RAM has been used. Is this correct? If you are out of virtual memory you need the pagefile system to pick up the slack.

    From BCwipe:

    http://www.jetico.com/support-bcwipe-faq/

    Here is how to use their pagefile encryption option.

    http://www.jetico.com/bcwipe5_web_help/html/12_swap_file/01_swap_file.htm

    Their transparent wiping feature looks really cool too.

    http://www.jetico.com/wiping-bcwipe/
     
Loading...
Thread Status:
Not open for further replies.