![]() After a volume is mounted, either system or non-system, we immediatly encrypt its master keys using the algorithm described below before doing any operation with the volume.The master key of a volume are decrypted for each request so we need a very fast algorithm for decrypting master key.For that we use the non-cryptographic hash t1ha2. So we need a very fast way to derive key otherwise it will be too slow to be usable. This key derivation takes place everytime we need to use the master key of a volume.This ensures that a unique key is used for each memory region that will be encrypted. The RAM encryption algorithm will use a key that is the result of derivation from the above memory region combined with unique values derived from the memory that will be encrypted (we combine HashSeedMask and CipherIVMask with several virtual addresses values).We generated two random 64-bit integers (HashSeedMask and CipherIVMask) that will be used in the RAM encryption algorithm.This memory region is filled with random bytes generation by a CSPRNG based on ChaCha20.If allocation fails, then it allocated a 8 KiB non-paged memory region. VeraCrypt driver allocates at Windows startup a large memory region with a size of 1MiB.All memory variables used are allocated in Kernel space as non paged memory so it is never accessible to user space applications. RAM encryption mechanism serves two purposes: add a protection against cold boot attacks and add an obfuscation layer to make it much more difficult to recover encryption master keys from memory dumps, either live dumps or offline dumps (without it, locating and extracting master keys from memory dumps is relatively easy).įirst, here is a quick summary on how RAM encryption is implemented. This is an oppportunity to finally explain this part which should also be present on the documentation (I will try to find time for that too!). I have promised before to explain more RAM encryption implementation and the rational behind it but I never was able to do it.
0 Comments
Leave a Reply. |