VeraCrypt users pointed out importance of enabling RAM encryption

Users of encryption software VeraCrypt are advised to enable RAM encryption and not to leave their computers unattended. Otherwise it is possible to read the encryption keys from the memory. Forensic software provider Elcomsoft released a blogposting press release last week called "Breaking VeraCrypt: Obtaining and Extracting On-The-Fly Encryption Keys".

In the message, the company says that it has released a new version of the Forensic Disk Decryptor that it claims is the only one that can read all kinds of encryption keys from the VeraCrypt program from the memory of computers. VeraCrypt is an open source encryption program for Linux, macOS, and Windows based on the popular TrueCrypt that ended support in 2014.

VeraCrypt 1.24 appeared in 2019 which introduced RAM encryption for encryption keys and passwords. This should prevent them from being read from the working memory via cold boot attacks, for example. Elcomsoft now reports that it can read the encryption keys, including from the latest Windows version of VeraCrypt, version 1.24 Update 7.

However, there are several conditions for doing this. The method only works in the case of encrypted VeraCrypt containers. In addition, there must be physical access to the machine, the drive must be mounted, the computer must not be locked, and the logged in user must have administrator rights. Finally, the RAM encryption option should not be enabled in VeraCrypt.

Elcomsoft recognizes that a situation where all of these conditions are met is uncommon. Still, the company states that law enforcement agencies still encounter cases where they can gain access to evidence in this way.

Previous Post Next Post