This project has moved and is read-only. For the latest updates, please go here.

If my drive is mounted can an attacker retrieve my password?

Topics: Technical Issues, Users Discussion
Nov 10, 2016 at 7:52 AM
Edited Nov 10, 2016 at 7:53 AM
If I use full disk encryption and an attacker stole my computer after the drive had been mounted, would they be able to see the password that was used to mount the drive?

I know they already have access to all the data on the mounted disk but can they also see the password if the drive is in it's unencrypted state?
Nov 10, 2016 at 10:29 AM
Edited Nov 10, 2016 at 10:30 AM
They won't need the password. This is how law enforcement actually does it: Special ops will kick your doors out and scream loud to scare the sh*t out of you. Before you realize what is happening, they have your mounted computer. They don't need the password, because they can retrieve the hash stored in memory. The hash is protected by your password, but all data are encrypted with the hash. I don't know if "hash" is correct term, but the reason behind this is you don't have to re-encrypt all the data when you just want to change the password. Also if the computer is mounted, they won't need the hash nor the password, they can copy what they need ;-) When they turn it off they either screwed up, or they have already retrieved your password during the surveillance. You can bet they will be coming well prepared.
Nov 11, 2016 at 5:55 AM
I asked a very specific question and I don't think you answered me with your Jason Bourne scenario.

I want to know if they can see the password if the drive is mounted. This question is especially important for people who have encrypted more than one drive with the same password. If one drive is unencypted/mounted will they be able to see the password and therefore decrypt other drives which used the same password for encryption?
Nov 11, 2016 at 7:36 AM
Edited Nov 11, 2016 at 7:37 AM
noonenoone wrote:
I want to know if they can see the password if the drive is mounted.
I can imagine sort of rainbow table attack on weak passwords (from a dictionary). If you have used a good pasword, then I don't think that anyone can reverse compute the password even with access to the memory (unless there is some flaw which could make this possible, like if veracrypt won't overwrite password entered to the dialog prior releasing the memory, but I'm pretty sure it overwrites that).
Nov 15, 2016 at 10:28 PM
They wont see your password but they can still get your 'master keys' that are stored in ram. More info
Nov 15, 2016 at 11:51 PM
If your drive is already mounted, they won't need your password! No, they can't see your password, but that's not relevant. They don't need it.