Encrypt Your Windows Pagefile To Improve Security
There is nothing better than encrypting the system partition and all other partitions if you want to protect your files from unauthorized access. There are still ways around this but they require specialized equipment and access to the PC.
The main reason why this is the best option in regards to security and privacy is that it protects all files on all drives when the computer is not turned on.
Regular users on the other hand may be better off encrypting only their important documents and files, and other areas of the operating system that may reveal information about those files.
One of those is the Windows Pagefile, which is basically a hard drive cache for files. The file is used by Windows even if your computer has enough memory available. It is possible to delete the Pagefile on exit, but that does not guarantee that the information it contains cannot be recovered.
Data that is deleted is not really removed from the hard drive it is stored on. The only thing that is happening is that references to the file are removed and that its storage space is available again for writes. This means that it takes time before the data is completely gone and not recoverable anymore.
The only possible solution next to encrypting the system partition? Encrypting the page file. This can be done with the Windows program fsutil that is installed with the operating system.
Encrypt the Pagefile
Please note that the pagefile can only be encrypted if the containing hard drive uses the NTFS file system. The majority of Windows Vista and Windows 7 PCs should use NTFS file systems.
Update: This works in newer versions of Windows as well.
You need to open an elevated command prompt by clicking on the start orb, then All Programs > Accessories. Locate Command Prompt in the listing, right-click the program and select Run as administrator from the context menu. This is the way in Windows 7, it may be slightly different if you use a different version of Windows.
Update: The general way is to press the Windows-key, type cmd.exe, right-click the result and select run as administrator from the context menu.
Issue the following command to encrypt the pagefile in Windows:
fsutil behavior set EncryptPagingFile 1
You need to restart the PC before the change takes effect.
Check the Pagefile for encryption
You can also check if the pagefile is encrypted. For that issue the following command.
fsutil behavior query EncryptPagingFile
A return value of 1 indicates that the pagefile is encrypted, 0 would indicate that it is not encrypted.
Remove Pagefile encryption
You can also remove the encryption of a pagefile again. This is done with the command
fsutil behavior set EncryptPagingFile 0
The pagefile is encrypted with the Encrypting File System (EFS) which provides the file encryption technology on NTFS volumes.
A question Martin…
What is your experience with performance when the pagefile is encrypted?
Rick I’d say most users won’t notice a difference.
Thanks for the info.
Most of our users have got SSD drives now and we have the pagefile disabled so this won’t be applicable. I know I know – before anyone starts with the back and forth on this, I should also say that all systems have 16G of RAM and they rip just fine.
I have noticed the encryption option before and maybe it’s something to revisit.
Good tip but how can anyone see what is in the pagefile anyway ?
You need forensic tools for that, to analyze the contents.
Is there a noticeable performance hit by encrypting the pagefile?
does it work for WinXP?
the response after the command is;
Usage : fsutil behavior set
disable8dot 3 1: 0
allowextchar 1: 0
disablelastaccess 1 : 0
quotanotify 1 through 4294967295 seconds
nftzone i through 4
Encryption does not seem to be available as a parameter under Windows XP.
so should we just right click the pagefile.sys on winxp and set to encrypt just like that (the hiberfil.sys as well BTW) or would that create some kind of unbelievable risk/problem for the system?
many thanks, well explained – but after re-boot on Vista with NTFS fsutil behavior query EncryptPagingFile shows 0 again.
NtfsEncryptPagingFile in registry is also back to 0.
Any idea, who resets taht?
If the page file is disabled, then I take it you won’t really need to bother with this?
That is right, Dan.
This article is too vague about key management of an encrypted pagefile. From the what you do on the DOS command line it looks like the operating system makes up its own key for encrypting the pagefile and has access to that key forever in order to decrypt the file for normal use. That means the key is also available to any forensic tools. So I don’t see how this protects sensitive data in the page file.
mangard, the Windows Encrypting File System uses an encryption key based on your login credentials. An attacker would have to know your user name and password.
How is then possible to use pagefile even before login? That means, that encryption key must be available before user login to windows, and is not dependent on user password/login. Also what if more than one user are using one computer, but pagefile is common for all? I think it uses SYSTEM account for encryption and its encryption key is available for forensics tools directly without entering any password, so pagefile is only encrypted by key, which is easily available.
“the key used to encrypt the pagefile is ephemeral and is discarded at shutdown”
So this is a random 256 bit key used for AES, generated at boottime.
Can even my Windows7 Home Premium encrypt pagefile.sys this way?
Now I know EFS is responsible for encrypting paging files, but AFAIK Home Premium version of Windows inhibits almost all user-level EFS related operations.
Anyway I gave this tutor a try and now fsutil responds “EncryptPagingFile 1”, but Explorer shows pagefile.sys is not encrypted (property not checked and grayed out). I have no way of confirming if it’s encrypted properly…
I’m interested to know what are the pros and cons of encrypting the pagefile vs clearing it on shutdown? It seems to me that encrypting it makes more sense. Also, is there any reason to both encrypt the pagefile and also clear it on shutdown?
If pagefile is cleared when the file is not encrypted then clearing is not _the_ solution.
Also encrypting pagefile has very little effect on performance – u won’t ever notice it.
I wonder if pagefile encryption has improved in W10? Or encryption in general?
W8/W10 in addition to pagefile has a swafile.sys on C:, is this encrypted as well?
Through leaks it’s discovered Microsoft has left many backdoors open for government level espionage.
So while you might use OS based encryptions, one perhaps should use such as Veracrypt for encryption that is actual and factual – in your hands.
“Through leaks it’s discovered Microsoft has left many backdoors open for government level espionage.”
Do say more. I’d like to know about these specific “backdoors” for “government level espionage”. I hope it’s something other than Dual_EC_DRBG, which is very old hat.