S 4.325 Deletion of swap files

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: User, Administrator

Modern operating systems support the use of virtual storage. In order to provide the users with more (virtual) main memory than is actually installed in the computer, the parts of memory currently not in use are moved to a hard disk (i.e. to the swap area).

Some of the information used by the user while working on the computer will still be located in the swap file. This information can also include sensitive data such as passwords or cryptographic keys. The swap files are not deleted automatically when a user logs out of the system or the system is shut down. For this reason, swap files could be exploited by an attacker to read confidential data.

To prevent swap files from being read, the swap area should either be temporarily or permanently deactivated or securely deleted every time before shutting down the computer.

Recent Windows operating systems can be configured so that the swap file is overwritten when booting or shutting down the computer. The swap file (Windows paging file, pagefile.sys) and the file for the hibernate state (Hibernation File, hiberfil.sys) are overwritten with zeros when shutting down the system if "Shutdown: Clear virtual memory pagefile" is enabled. However, overwriting the swap file can take a long time depending on its size. This option should be enabled on clients, and especially on laptops, in spite of this. It should be examined if enabling this option is necessary on servers with very large swap files and normal protection requirements. For higher protection requirements, the swap file should always be deleted automatically. In Windows Vista and later versions, it is possible to encrypt the swap file using EFS when the system boots. This is significantly more efficient and is recommended in all cases in which the swap file is not already encrypted due to the use of a full hard disk encryption program such as BitLocker Drive Encryption.

For higher protection requirements, additional safeguards should be implemented to prevent the swap files from being read. Such safeguards could include the use of tools that securely delete the swap area every time before shutting down the system. Cryptographic file systems can be used to avoid such problems completely. In this case, the entire contents of the hard disk are encrypted. It is therefore impossible to access the swap file any more.

The disabling or deletion of the swap area is a feasible ad hoc solution, but it is not an alternative to full encryption over the long term. Full encryption of the hard disks is the better solution for higher protection requirements.

On Unix systems, the swap files are stored in the swap file system. This file system is a separate partition that can be encrypted if desired. Before encrypting the swap partition, the computer should be checked to ensure it can provide enough computing power for encryption. A secure way to prevent the swap area from being analysed is to encrypt the entire data medium. For this reason, this method is recommended when possible.

Review questions:

© Federal Office for Information Security. All rights reserved.