Encrypt Your Windows Pagefile To Improve Security - gHacks Tech News

Encrypt Your Windows Pagefile To Improve Security

There is nothing better than encrypting the system partition and all other partitions if you want to protect your files from unauthorized access. There are still ways around this but they require specialized equipment and access to the PC.

The main reason why this is the best option in regards to security and privacy is that it protects all files on all drives when the computer is not turned on.

Regular users on the other hand may be better off encrypting only their important documents and files, and other areas of the operating system that may reveal information about those files.

One of those is the Windows Pagefile, which is basically a hard drive cache for files. The file is used by Windows even if your computer has enough memory available. It is possible to delete the Pagefile on exit, but that does not guarantee that the information it contains cannot be recovered.

Data that is deleted is not really removed from the hard drive it is stored on. The only thing that is happening is that references to the file are removed and that its storage space is available again for writes. This means that it takes time before the data is completely gone and not recoverable anymore.

The only possible solution next to encrypting the system partition? Encrypting the page file. This can be done with the Windows program fsutil that is installed with the operating system.

Encrypt the Pagefile

Please note that the pagefile can only be encrypted if the containing hard drive uses the NTFS file system. The majority of Windows Vista and Windows 7 PCs should use NTFS file systems.

Update: This works in newer versions of Windows as well.

You need to open an elevated command prompt by clicking on the start orb, then All Programs > Accessories. Locate Command Prompt in the listing, right-click the program and select Run as administrator from the context menu. This is the way in Windows 7, it may be slightly different if you use a different version of Windows.

Update: The general way is to press the Windows-key, type cmd.exe, right-click the result and select run as administrator from the context menu.

Issue the following command to encrypt the pagefile in Windows:

fsutil behavior set EncryptPagingFile 1

encrypt pagefile

You need to restart the PC before the change takes effect.

Check the Pagefile for encryption

You can also check if the pagefile is encrypted. For that issue the following command.

fsutil behavior query EncryptPagingFile

encrypt windows pagefile

A return value of 1 indicates that the pagefile is encrypted, 0 would indicate that it is not encrypted.

Remove Pagefile encryption

You can also remove the encryption of a pagefile again. This is done with the command

fsutil behavior set EncryptPagingFile 0

The pagefile is encrypted with the Encrypting File System (EFS) which provides the file encryption technology on NTFS volumes.

Summary
Encrypt Your Windows Pagefile To Improve Security
Article Name
Encrypt Your Windows Pagefile To Improve Security
Description
The guide walks you through the steps of encrypting the Windows Pagefile to improve security and privacy of the system and its users.
Author




  • We need your help

    Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

    We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

    If you like our content, and would like to help, please consider making a contribution:

    Comments

    1. Rick said on April 4, 2011 at 10:55 pm
      Reply

      A question Martin…

      What is your experience with performance when the pagefile is encrypted?

      1. Martin Brinkmann said on April 4, 2011 at 11:22 pm
        Reply

        Rick I’d say most users won’t notice a difference.

        1. Rick said on April 5, 2011 at 12:15 am
          Reply

          Thanks for the info.

          Most of our users have got SSD drives now and we have the pagefile disabled so this won’t be applicable. I know I know – before anyone starts with the back and forth on this, I should also say that all systems have 16G of RAM and they rip just fine.

          I have noticed the encryption option before and maybe it’s something to revisit.

    2. dangerboy said on April 5, 2011 at 7:55 am
      Reply

      Good tip but how can anyone see what is in the pagefile anyway ?

      1. Martin Brinkmann said on April 5, 2011 at 7:59 am
        Reply

        You need forensic tools for that, to analyze the contents.

    3. Dan said on April 5, 2011 at 9:40 am
      Reply

      Is there a noticeable performance hit by encrypting the pagefile?

      1. Martin Brinkmann said on April 5, 2011 at 10:07 am
        Reply

        No.

    4. sulasno said on May 2, 2011 at 12:06 pm
      Reply

      does it work for WinXP?

      the response after the command is;

      Usage : fsutil behavior set
      disable8dot 3 1: 0
      allowextchar 1: 0
      disablelastaccess 1 : 0
      quotanotify 1 through 4294967295 seconds
      nftzone i through 4

      1. Martin Brinkmann said on May 2, 2011 at 1:45 pm
        Reply

        Encryption does not seem to be available as a parameter under Windows XP.

        1. distant said on June 4, 2011 at 9:57 pm
          Reply

          so should we just right click the pagefile.sys on winxp and set to encrypt just like that (the hiberfil.sys as well BTW) or would that create some kind of unbelievable risk/problem for the system?

    5. Dietmar Steinpichler said on February 1, 2012 at 9:33 am
      Reply

      Martin,
      many thanks, well explained – but after re-boot on Vista with NTFS fsutil behavior query EncryptPagingFile shows 0 again.
      NtfsEncryptPagingFile in registry is also back to 0.
      Any idea, who resets taht?
      Thanks,
      dietmar

    6. Dan said on July 1, 2012 at 4:12 pm
      Reply

      If the page file is disabled, then I take it you won’t really need to bother with this?

      1. Martin Brinkmann said on July 1, 2012 at 4:15 pm
        Reply

        That is right, Dan.

    7. mangard said on August 25, 2012 at 5:59 pm
      Reply

      This article is too vague about key management of an encrypted pagefile. From the what you do on the DOS command line it looks like the operating system makes up its own key for encrypting the pagefile and has access to that key forever in order to decrypt the file for normal use. That means the key is also available to any forensic tools. So I don’t see how this protects sensitive data in the page file.

      1. DavidS said on October 29, 2012 at 11:55 am
        Reply

        mangard, the Windows Encrypting File System uses an encryption key based on your login credentials. An attacker would have to know your user name and password.

        1. tomasyk said on January 1, 2015 at 7:33 am
          Reply

          How is then possible to use pagefile even before login? That means, that encryption key must be available before user login to windows, and is not dependent on user password/login. Also what if more than one user are using one computer, but pagefile is common for all? I think it uses SYSTEM account for encryption and its encryption key is available for forensics tools directly without entering any password, so pagefile is only encrypted by key, which is easily available.

      2. nsoebcyas said on June 24, 2015 at 6:35 pm
        Reply

        “the key used to encrypt the pagefile is ephemeral and is discarded at shutdown”
        So this is a random 256 bit key used for AES, generated at boottime.

    8. torro said on November 8, 2012 at 4:33 pm
      Reply

      Can even my Windows7 Home Premium encrypt pagefile.sys this way?
      Now I know EFS is responsible for encrypting paging files, but AFAIK Home Premium version of Windows inhibits almost all user-level EFS related operations.

      Anyway I gave this tutor a try and now fsutil responds “EncryptPagingFile 1”, but Explorer shows pagefile.sys is not encrypted (property not checked and grayed out). I have no way of confirming if it’s encrypted properly…

    9. Matt said on June 7, 2016 at 9:23 pm
      Reply

      I’m interested to know what are the pros and cons of encrypting the pagefile vs clearing it on shutdown? It seems to me that encrypting it makes more sense. Also, is there any reason to both encrypt the pagefile and also clear it on shutdown?

    10. Ram said on January 3, 2017 at 4:39 am
      Reply

      If pagefile is cleared when the file is not encrypted then clearing is not _the_ solution.

      Also encrypting pagefile has very little effect on performance – u won’t ever notice it.

      I wonder if pagefile encryption has improved in W10? Or encryption in general?

      W8/W10 in addition to pagefile has a swafile.sys on C:, is this encrypted as well?

      Through leaks it’s discovered Microsoft has left many backdoors open for government level espionage.

      So while you might use OS based encryptions, one perhaps should use such as Veracrypt for encryption that is actual and factual – in your hands.

      1. Dan said on January 3, 2017 at 7:40 am
        Reply

        “Through leaks it’s discovered Microsoft has left many backdoors open for government level espionage.”

        Do say more. I’d like to know about these specific “backdoors” for “government level espionage”. I hope it’s something other than Dual_EC_DRBG, which is very old hat.

    Leave a Reply