Hibernation Exposes Vulnerabilities With Software Encryption

Software encryption could leave your encrypted data vulnerable when your system goes into hibernation.

For those of us not fortunate enough to have their operating system loaded on an SSD, waiting for a system to boot up can be an exercise in patience. The obvious solution to combat productivity lost while waiting for your system to boot up is to keep your computer powered on at all times. However leaving your computer running full-blast, 24-hours a day would be an obscene waste of power. As a responsible alternative, Microsoft has included the Hibernate feature within their operating systems since Windows 2000.


How Hibernation Works


Hibernation allows you to power down a computer in a saved state. When hibernation is activated, your system takes a snapshot of your current session, saves it in a “hiberfil.sys” file on your hard drive and then powers down completely. When the computer is awakened, it reads the “hiberfil.sys” file and then starts up in the same state it was in prior to entering hibernation. The whole process takes a fraction of the time that it typically takes a computer to cold boot.

Hibernation is very similar to the Windows’ Sleep function. The main difference is that while in sleep mode, the saved state information is stored in RAM and not written to a file on the hard drive. This means that the computer can power down all system hardware except for the RAM. Since RAM is volatile memory, it loses all data when power is lost which makes it a less reliable power saving option. This means that there is the persistent threat of data loss, especially with unplugged laptops where power loss from a depleted battery is inevitable.


Why Hibernation With Software Encryption Is Vulnerable


Although convenient and reliable, a hibernating operating system can be exposed to some serious security flaws, especially if you are using software encryption applications like Bitlocker or TrueCrypt to secure private data stored on your local hard drive.

As stated previously, prior to entering hibernation mode the computer’s saved state information is written to a “hiberfil.sys” file and stored on your hard drive’s root directory. This “hiberfil.sys” file is basically a snapshot of your system’s RAM. If your encryption software is running when your system is put into Hibernation your encrypted data could be at risk.

From the article “Windows Hibernation and hiberfil.sys” published on the Anti-Forensics website,

The Windows hiberfil.sys can also be an issue when using encryption software… …If a Windows system is placed into hibernation mode without unmounting encrypted containers or volumes then the encryption keys used to access these containers could be left in RAM in plain-text. RAM will then be saved to the hard drive in the hiberfil.sys. This means that you will be leaving the keys (passwords) to all of your private containers and volumes free for the finding.

So if your encrypted volume was left mounted when you put your computer into hibernation mode, the entire contents of your encrypted partition could be exposed if your hard drive is compromised and the attacker is able to extract the encryption keys from the “hiberfil.sys” file.


What Are The Alternatives?


Although unmounting your encrypted volumes prior to putting your computer into hibernation should prevent your encryption keys from being discovered, this is far from a fail-safe solution. So what alternatives do you have when it comes to encrypting your sensitive data? There’s always the option of disabling hibernation altogether, but then you are back to waiting several minutes for your system to boot up. Sleep mode may be a practical solution for desktop users, but laptop users will have to worry about the risk of losing unsaved data if battery power runs out.

The most convenient solution would be instead of using software encryption programs, to use hardware encrypted storage devices like Kanguru’s line of Defender secure flash drives and secure hard drives to encrypt your sensitive data. While software encryption programs leverage your computer’s hardware to carry out encryption operations, encryption on Kanguru’s security devices employ 256-bit AES encryption which is 100% contained within the devices themselves. Encryption keys are never stored in local RAM so there is no risk of them being recovered and you can rest easy when it comes time to put your computer into hibernation.


Written by Ken Lee

Contributing writer for Kanguru Solutions