none
NTFS Pagefile encryption RRS feed

  • Question

  • Hello,

    I'm wondering if anyone has found any documentation on how this is actually implemented? The only information I can really find is already in the GPO description:

    "Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations.  Enabling this setting will cause the page files to be encrypted."

    However, I can't find any MS articles on how this is actually implemented (what keys does it use, where does it store them, what level of encryption, etc). Other websites only discuss how to enable it, but I can't find any details.

    Thanks!

    Tuesday, April 2, 2013 10:09 PM

All replies


  • From what I was able to gather, it's using NTFS encryption but a
    separate key which is only kept in RAM and is therefore discarded when
    the system shuts down.

    Wednesday, April 3, 2013 6:14 AM
  • Thanks Dave, that's what I figured as well, but I can't find anything documented. Unfortunately I can't present a solution based on no technical documentation.
    Wednesday, April 3, 2013 5:24 PM
  • Thanks Dave, that's what I figured as well, but I can't find anything documented. Unfortunately I can't present a solution based on no technical documentation.

    The pagefile is encrypted with EFS: http://technet.microsoft.com/en-us/library/cc749610(v=WS.10).aspx

    Whats new for EFS in Windows 7:

    http://technet.microsoft.com/en-us/library/dd630631(v=WS.10).aspx

    EFS documentation for Windows 7

    http://technet.microsoft.com/en-us/library/cc721923(v=WS.10).aspx


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ” How to ask a question that is fixable.


    • Edited by Ty Glander Wednesday, April 3, 2013 7:55 PM
    Wednesday, April 3, 2013 7:55 PM
  • Thanks Ty.

    None of those articles go into detail about how it works. For example, what keys are used to encrypt the page file? Is the entire page file encrypted or just user specific data? I can't find any details at all about how this piece of technology actually works.

    Wednesday, April 3, 2013 8:12 PM
  • I think you can control the EFS encryption stuff around it to decide what is going on:

    http://technet.microsoft.com/en-us/library/bb629455.aspx

    The above like is one of the offshoots of the stuff I provided earlier.  I know it doesn't directly say what encrypting the pagefile does, however that being said it does talk about what can be configured for EFS encryption which would apply to the pagefile if encrypted. Hopefully someone more experienced in this area will jump in.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ” How to ask a question that is fixable.

    Wednesday, April 3, 2013 8:49 PM
  • Thanks, that provided another piece of the puzzle. This is the most useful piece of information I've seen so far:

     

    "You can encrypt the Windows paging file using EFS with a key that is generated when the system starts up. This key is destroyed when the system shuts down."

     

    Based on this one line, I'm thinking it is a different key every time you start the computer? That would be very nice...

     

    I am hoping someone from MS will chime in with some technical details that don't seem to be available to the public.

    Wednesday, April 3, 2013 8:58 PM
  • >Based on this one line, I'm thinking it is a different key every time you start the computer? That would be very nice...

    Yes. If the key isn't preserved, that's the only possible way it could
    be implemented. It also saves you from having to wipe the pagefile,
    which is a nice bonus.

    However, if security is a concern, wouldn't Bitlocker generally be a
    better approach?

    (Oh and thanks to everyone that dug out a cite, I knew I'd seen it
    before but couldn't find anything in 5 minutes of looking)

    Wednesday, April 3, 2013 9:33 PM
  • Bitlocker adds to the overall security of the system, but for desktops, we likely are not going to use a password/pin for startup, and therefore it isn't all that secure if someone steals the entire desktop (ie. Bitunlocker). We can adequately secure personal files with EFS, but the pagefile is of course a concern. We currently wipe it on shutdown and I'd like to eliminate that requirement. Based on the very limited amount of information that seems to be available it is looking promising, but I still don't have enough information to make the pitch.

    Wednesday, April 3, 2013 10:13 PM
  • Network Unlock looks like a good candidate to avoid having users enter
    PINs on startup, while also preventing attacks that include stealing the
    entire computer.

    Admittedly this is more complicated to deploy than EFS, but it's also a
    heck of a lot better protection against offline attacks (something EFS
    is moderately vulnerable against, since malware can be put into place
    while the primary OS is offline)

    Thursday, April 4, 2013 4:54 AM
  • That looks very interesting! It looks like it is just for Windows 8 though, and we're working with 7.

    Thursday, April 4, 2013 4:19 PM
  • So someone changed this to a "discussion" and it isn't, it is still an open, unanswered question. I'm still looking for MS documentation on how this works, or someone from MS to confirm that it is a new key on every startup, the key is only stored in memory, to provide details like encryption and key strength, algorithms, etc.

    Thanks.

    Monday, April 8, 2013 9:47 PM
  • Hi,


    I'm trying to involve someone familiar with this topic to further look at this issue. There might be some time delay.


    Thanks.


    Vincent Wang
    TechNet Community Support

    Wednesday, April 10, 2013 2:18 AM
    Moderator
  • Thanks Vincent.

    Wednesday, April 10, 2013 12:17 PM
  • Hi ,

    If we enable this policy, the page file will be encrypted following EFS policy.

    When the users logon to the computer in the domain, the system will generate a user master key hashed from the user's password. If the user tried to encrypt the file with EFS, the EFS will hash the user master key to generate a file encryption key (FEK) and use it to encrypt the content of file. When we use EFS, the system will check the user personal store to see if there is a user certificate which can be used for EFS. If the certificate is not available, EFS will try to contact a CA to request a user certificate; if the CA does not exist, EFS will generate a certificate by itself and use the public key of the certificate to encrypt the FEK. As the default EFS recovery agent is the administrator in the domain, the system will also use the public key of the default EFS recovery agent certificate to encrypt the FEK. Therefore, both the user who encrypts the file and the recovery agent can use private key of their certificates to decrypt the FEK and use FEK to decrypt the file content. More information:

    Add a recovery agent for a domain: http://technet.microsoft.com/en-us/library/cc778448(WS.10).aspx
    Using Encrypting File System: http://technet.microsoft.com/en-us/library/bb457116.aspx

    There may be no more deeper information. Thanks.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, April 11, 2013 11:19 AM
  • Thanks for the response Aaron.

     

    I understand EFS quite well for end user file encryption. Based on what you're saying, the end user's EFS encrypts the page file, but to me that isn't logical. How could an end user encrypt a system wide page file? The master key isn't unlocked until the user logs on. Maybe I'm not understanding how the system pages? Does the system only start paging once the user is logged on? Are only the user's pages encrypted (seems illogical to me)?

    Thursday, April 11, 2013 4:22 PM
  • Hi ,

    The page file encrytion is similar to the user EFS encryption. The difference is that the key to encrypt the Windows paging file is generated when the system starts up (not user logon). This key is destroyed when the system shuts down.

    Thanks.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, April 22, 2013 6:45 AM
  • I opened a case with MS on this, and they informed me of three things:

    1) The page file encryption is identical to user EFS but with the System account.

    2) The page file FEK is only deleted if you delete the page file on shutdown, otherwise it uses the same key each time.

    3) Uses the same encryption strength and cipher that EFS does.

    I have problems with this explanation but can't really refute them. For example, I tried opening up the mmc console as the SYSTEM account (using psexec) and found no EFS certificate. They said that this is "expected" though but couldn't explain why. They also could not point me to where the SYSTEM certificates live on the file system.

    Based on their explanation, it fairly useless as it is susceptible to the same attack as Bitlocker. I was hoping that it would indeed be a new key at each boot, therefore making the previous page file fairly difficult to decrypt.

    Monday, April 22, 2013 3:24 PM