RAMEncryption

Hi Enigma2Illusion, Thanks for your thoughts. With Kr00k key was zeroed out and still encrypted with it. That lead to the security issue. Here we only encrypt the encryption key so all data to disk will be securely encrypted. Concerning system encryption. If you don't use system drive encryption you have to unmount all volumes otherwise volume key would be stored in cleartext in the hibernation file. So there would be no security changes for those users.

The subject of protecting keys in RAM is complex and what I have implemented in VeraCrypt is a small step towards a foolproof solution that maybe doesn't exist. Neverthless, at the current state of things, it is better to have an imperfect protection than no protection at all. As I wrote in my first post, I'm open to contributions for enhancement of RAM encryption mechanism. The current implementation provides simple functions that can be overriden for any new protection mechanism without carring...

What about a differenct approach: Upon hibernating you set this 1 MiB Memory region to 0. Then you derive the encryption key from this "Zero region" and encrypt the neccessary keys with this. Then upon boot you intialize that region again with Zeros and as soon as poosible you correctly initialize it and encrypt the Round-Keys accordingly. Perhaps another suggestion. Upon hibernation you "disable" RAM encryption. Keys would be stored in plaintext, but since we use full disk encryption they're in...

Hi Mounir IDRASSI thanks for explaining RAM encryption that detailed. The master key of a volume are decrypted for each request so we need a very fast algorithm for decrypting master key. For that we use ChaCha12. For each I/O request received for a volume, we copy the encrypted master keys to a local variable, then we decrypt this location variable using algorithm described below, then we use this variable to perform encryption/decryption needed for the I/O request and finally we securely wipe this...

I can't find anything how the Veracrypt memory encryption works. I'm really curious since you normally need a key in RAM, but a key in RAM could be read and then the encryption key could be decrypted...