Hibernate and FDE

Earlier this week, I read this article reporting on Passware’s presentation at Password^20.   It reported that if you are using BitLocker or TrueCrypt and you’ve ever used hibernate, then Passware Kit Forensic is able to recover the encryption key from the Hibernate file.   The recommendation was “NEVER EVER EVER EVER allow hibernation for any computer.”

I found this hard to believe.    So I watched the presentation.  The Q and A made it clear that if the disk is truly fully encrypted, that is including the hibernate files, and the system is off.

I’m not as familiar with BitLocker or TrueCrypt as I am with the product I use with at work.   Apparently people using TrueCrypt or BitLocker often only encrypt data volumes.   Certainly that leaves you more vulnerable.   The product I use actually encrypts the full drive,and provides pre-boot authentication at all times.   So I think the advice to never use hibernate isn’t correct if you truly have full disk encryption.

3 Comments

  1. Hi there Roger! I saw your comment on my blogpost about the
    FDE demo at #passwords10, and I’ve commented on your comment as
    well. :-) Simple version: as Passware also demonstrated the
    Firewire attack, I will keep my recommendation on not ever doing
    hibernation. Based on configuration of course, there’s a chance
    configuration allows for direct loading of hibernation file into
    memory without some kind of “PBA”, just bringing you to a standard
    logon to your OS. In such cases I’m afraid an attacker may insert a
    Firewire PCMCIA card into the laptop, I’m afraid it will be
    configured automatically, and then the attacker can conduct the
    Firewire attack in order to obtain the decryption keys from live
    memory. Seriously paranoid here of course, but to me it’s more
    about principles than real-life risk analysis (at least for
    #passwords10 discussions etc.) Best regards, Per Thorsheim
    securitynirvana.blogspot.com

  2. It always amazing that the simple things always seem to be forgotten. For the package I use the one vulnerability use to be “both versions … store the password in clear text in the memory of the process”. At least when you exit the software this went away.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>