mirror of
https://github.com/veracrypt/VeraCrypt
synced 2024-11-10 05:03:33 +01:00
Documentation: Add more information about TRIM behavior in VeraCrypt
This commit is contained in:
parent
3239e5d83e
commit
09833e0942
Binary file not shown.
@ -40,6 +40,12 @@ <h1>System Encryption</h1>
|
||||
System encryption provides the highest level of security and privacy, because all files, including any temporary files that Windows and applications create on the system partition (typically, without your knowledge or consent), hibernation files, swap files,
|
||||
etc., are always permanently encrypted (even when power supply is suddenly interrupted). Windows also records large amounts of potentially sensitive data, such as the names and locations of files you open, applications you run, etc. All such log files and
|
||||
registry entries are always permanently encrypted as well.</div>
|
||||
|
||||
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
|
||||
<strong>Note on SSDs and TRIM:</strong>
|
||||
When using system encryption on SSDs, it's important to consider the implications of the TRIM operation, which can potentially reveal information about which sectors on the drive are not in use. For detailed guidance on how TRIM operates with VeraCrypt and how to manage its settings for enhanced security, please refer to the <a href="Trim%20Operation.html">TRIM Operation</a> documentation.
|
||||
</div>
|
||||
|
||||
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
|
||||
System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots
|
||||
(starts). Pre-boot authentication is handled by the VeraCrypt Boot Loader, which resides in the first track of the boot drive and on the
|
||||
|
@ -38,13 +38,19 @@
|
||||
<h1>Trim Operation</h1>
|
||||
<div style="text-align:left; margin-top:19px; margin-bottom:19px; padding-top:0px; padding-bottom:0px">
|
||||
Some storage devices (e.g., some solid-state drives, including USB flash drives) use so-called 'trim' operation to mark drive sectors as free e.g. when a file is deleted. Consequently, such sectors may contain unencrypted zeroes or other undefined data (unencrypted)
|
||||
even if they are located within a part of the drive that is encrypted by VeraCrypt. VeraCrypt does not block the trim operation on partitions that are within the key scope of
|
||||
<a href="System%20Encryption.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
|
||||
system encryption</a> (unless a <a href="Hidden%20Operating%20System.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
|
||||
hidden operating system</a> is running) and under Linux on all volumes that use the Linux native kernel cryptographic services. In those cases, the adversary will be able to tell which sectors contain free space (and may be able to use this information for
|
||||
even if they are located within a part of the drive that is encrypted by VeraCrypt.<br>
|
||||
<br>
|
||||
On Windows, VeraCrypt allows users to control the trim operation for both non-system and system volumes:
|
||||
<ul>
|
||||
<li>For non-system volumes, trim is blocked by default. Users can enable trim through VeraCrypt's interface by navigating to "Settings -> Performance/Driver Configuration" and checking the option "Allow TRIM command for non-system SSD partition/drive."</li>
|
||||
<li>For <a href="System%20Encryption.html">system encryption</a>, trim is enabled by default (unless a <a href="Hidden%20Operating%20System.html">hidden operating system</a> is running). Users can disable trim by navigating to "System -> Settings" and checking the option "Block TRIM command on system partition/drive."</li>
|
||||
</ul>
|
||||
|
||||
Under Linux, VeraCrypt does not block the trim operation on volumes using the native Linux kernel cryptographic services, which is the default setting. To block TRIM on Linux, users should either enable the "do not use kernel cryptographic services" option in VeraCrypt's Preferences (applicable only to volumes mounted afterward) or use the <code>--mount-options=nokernelcrypto</code> switch in the command line when mounting.
|
||||
<br>
|
||||
<br>
|
||||
In cases where trim operations occur, the adversary will be able to tell which sectors contain free space (and may be able to use this information for
|
||||
further analysis and attacks) and <a href="Plausible%20Deniability.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
|
||||
plausible deniability</a> may be negatively affected. If you want to avoid those issues, do not use
|
||||
<a href="System%20Encryption.html" style="text-align:left; color:#0080c0; text-decoration:none.html">
|
||||
system encryption</a> on drives that use the trim operation and, under Linux, either configure VeraCrypt not to use the Linux native kernel cryptographic services or make sure VeraCrypt volumes are not located on drives that use the trim operation.</div>
|
||||
plausible deniability</a> may be negatively affected. In order to avoid these issues, users should either disable trim in VeraCrypt settings as previously described or make sure VeraCrypt volumes are not located on drives that use the trim operation.</div>
|
||||
<p>To find out whether a device uses the trim operation, please refer to documentation supplied with the device or contact the vendor/manufacturer.</p>
|
||||
</div><div class="ClearBoth"></div></body></html>
|
||||
|
Loading…
Reference in New Issue
Block a user