From 09833e094273380ec06d22d50434ddf70b8801e1 Mon Sep 17 00:00:00 2001 From: Mounir IDRASSI Date: Sun, 5 Nov 2023 18:06:20 +0100 Subject: Documentation: Add more information about TRIM behavior in VeraCrypt --- doc/html/System Encryption.html | 6 ++++++ doc/html/Trim Operation.html | 20 +++++++++++++------- 2 files changed, 19 insertions(+), 7 deletions(-) (limited to 'doc/html') diff --git a/doc/html/System Encryption.html b/doc/html/System Encryption.html index 9699427e..c83d72fe 100644 --- a/doc/html/System Encryption.html +++ b/doc/html/System Encryption.html @@ -40,6 +40,12 @@ VeraCrypt can on-the-fly encrypt a system partition or entire system drive, i.e. System encryption provides the highest level of security and privacy, because all files, including any temporary files that Windows and applications create on the system partition (typically, without your knowledge or consent), hibernation files, swap files, etc., are always permanently encrypted (even when power supply is suddenly interrupted). Windows also records large amounts of potentially sensitive data, such as the names and locations of files you open, applications you run, etc. All such log files and registry entries are always permanently encrypted as well. + +
+Note on SSDs and TRIM: +When using system encryption on SSDs, it's important to consider the implications of the TRIM operation, which can potentially reveal information about which sectors on the drive are not in use. For detailed guidance on how TRIM operates with VeraCrypt and how to manage its settings for enhanced security, please refer to the TRIM Operation documentation. +
+
System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the VeraCrypt Boot Loader, which resides in the first track of the boot drive and on the diff --git a/doc/html/Trim Operation.html b/doc/html/Trim Operation.html index be4cec73..0b8182ad 100644 --- a/doc/html/Trim Operation.html +++ b/doc/html/Trim Operation.html @@ -38,13 +38,19 @@

Trim Operation

Some storage devices (e.g., some solid-state drives, including USB flash drives) use so-called 'trim' operation to mark drive sectors as free e.g. when a file is deleted. Consequently, such sectors may contain unencrypted zeroes or other undefined data (unencrypted) - even if they are located within a part of the drive that is encrypted by VeraCrypt. VeraCrypt does not block the trim operation on partitions that are within the key scope of - -system encryption (unless a -hidden operating system is running) and under Linux on all volumes that use the Linux native kernel cryptographic services. In those cases, the adversary will be able to tell which sectors contain free space (and may be able to use this information for + even if they are located within a part of the drive that is encrypted by VeraCrypt.
+
+On Windows, VeraCrypt allows users to control the trim operation for both non-system and system volumes: +
    +
  • For non-system volumes, trim is blocked by default. Users can enable trim through VeraCrypt's interface by navigating to "Settings -> Performance/Driver Configuration" and checking the option "Allow TRIM command for non-system SSD partition/drive."
  • +
  • For system encryption, trim is enabled by default (unless a hidden operating system is running). Users can disable trim by navigating to "System -> Settings" and checking the option "Block TRIM command on system partition/drive."
  • +
+ +Under Linux, VeraCrypt does not block the trim operation on volumes using the native Linux kernel cryptographic services, which is the default setting. To block TRIM on Linux, users should either enable the "do not use kernel cryptographic services" option in VeraCrypt's Preferences (applicable only to volumes mounted afterward) or use the --mount-options=nokernelcrypto switch in the command line when mounting. +
+
+In cases where trim operations occur, the adversary will be able to tell which sectors contain free space (and may be able to use this information for further analysis and attacks) and -plausible deniability may be negatively affected. If you want to avoid those issues, do not use - -system encryption on drives that use the trim operation and, under Linux, either configure VeraCrypt not to use the Linux native kernel cryptographic services or make sure VeraCrypt volumes are not located on drives that use the trim operation.
+plausible deniability may be negatively affected. In order to avoid these issues, users should either disable trim in VeraCrypt settings as previously described or make sure VeraCrypt volumes are not located on drives that use the trim operation.

To find out whether a device uses the trim operation, please refer to documentation supplied with the device or contact the vendor/manufacturer.

-- cgit v1.2.3