RAM encryption increases protection against cold boot attacks and provides an obfuscation layer to render it considerably more complex to recover encryption master keys from memory dumps (Live & Offline Dumps). RAM encryption decreases the likelihood of master keys being present in RAM.

Hence, implementing RAM encryption is better than not implementing it at all. Nonetheless, there is no certainty that keys can never be located in RAM. In the absence of RAM encryption, locating and extracting master keys from memory dumps is comparatively straightforward.

As of v1.24, VeraCrypt will erase the encryption keys from RAM when the Windows system is shut down or rebooted to mitigate against some cold boot attacks.

Without RAM encryption, an attacker can utilize a cold boot attack to recover without difficulty a portion of the master key. Subsequently, the attacker may deploy brute force attacks to recover the remaining key. //

Bear in mind that VeraCrypt will disable Windows Hibernate and Windows Fast Startup features before activating RAM encryption.

Alternatively, you can right-click the VeraCrypt icon in the system tray, select “Preferences,” select “More Settings…,” click “Performance/Driver Configuration,” enable “Activate encryption of keys and passwords stored in RAM,” and click “OK” to save the configuration settings in the “VeraCrypt – Performance and Driver Options” window.

verify that the user’s VeraCrypt installation is not configured to encrypt keys and passwords stored in RAM. To check this option, open VeraCrypt Settings – Preferences – More settings – Performance/Driver configuration and check if the Activate encryption of keys and passwords stored in the RAM box is selected.

If this option is selected, EFDD will be unable to locate the encryption keys. Note that disabling this setting requires a reboot, so the point of this action is lost as the encrypted container will be locked/unmounted after the reboot.

What is RAM encryption?

According to Mounir IDRASSI, “RAM encryption mechanism serves two purposes: add a protection against cold boot attacks and add an obfuscation layer to make it much more difficult to recover encryption master keys from memory dumps , either live dumps or offline dumps (without it, locating and extracting master keys from memory dumps is relatively easy).” (We strongly recommend reading Mounir’s entire post as it contains important details on how this protection is implemented).

Known limitations

As you already know, breaking VeraCrypt is extremely complex. VeraCrypt presents one of the strongest encryption options we have encountered. Even a thousand computers or a network of powerful Amazon EC1 instances with top GPUs may spend years if not hundreds of years to break a strong password. Extracting and using OTFE keys remains one of the few usable method to break in to encrypted containers. Yet, this method has a number of limitations.

One of the most restricting limitations is the requirement to obtain physical access to the computer during the time a VeraCrypt disk is mounted: only in that case the encryption keys are available in RAM. That computer must not be locked, and the authenticated user session must have administrator’s privileges (you need them to obtain the memory dump). Finally, the memory encryption option in VeraCrypt must not be used. On the bright side, the choice of encryption and hashing algorithms does not matter, as well as the PIM number.