FreeOTFE logo FreeOTFE
Free disk encryption software for PCs and PDAs
(PDA version of WWW site)


Technical Details: Registry Entries

The PC version of FreeOTFE doesn't create any registry entries for itself unless the user chooses to associate ".vol" files with the application, in which case only those registry entries which are required to associate the FreeOTFE executable with the filename extension are created. All user options and settings are stored in a ".ini" file located in the FreeOTFE directory.

In addition to this, MS Windows does create a registry entry for each FreeOTFE driver used. This is inevitable; all OTFE systems running under MS Windows are required to do this in order to function correctly.

The following detail the registry entries are typically created by MS Windows:

Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<driver name>

These keys may have the following values under them:

Value
Type
Meaning
ErrorControl
DWORD 0x00000001 - Normal error handling
Start
DWORD 0x00000001 - Driver started at system
0x00000003 - Driver started manually
Type
DWORD
0x00000001
Portable
DWORD
This value is optional, but set to 0x00000001 if present.
This value flags that the relevant driver was installed in "portable mode", and should be removed

The PDA version operates in a similar manner, though no registry entries are created automatically by the OS for the drivers used. Instead, FreeOTFE4PDA is required to create a sequence of registry entries when a volume is mounted. These registry entries are deleted once the volume is dismounted.


Portable Mode Impact

PC version only This section applies to the PC version of FreeOTFE only

Although no files are copied to your computers hard drive when using portable mode, because part of the manner in which MS Windows manages device drivers, Windows still writes certain details about the portable mode drivers to the registry. Specifically, the full path and filename of the drivers used together with other basic information on the drivers as detailed above.

When portable mode is stopped, most of this information is deleted by Windows automatically. However:

  1. Because of the way in which the registry stores data, an attacker may be able to recover that information which has been deleted (this is analogous to deleting a file on your filesystem; although its directory entry may have been marked as "deleted", the data may still be recoverable)
  2. When Windows deletes its registry entries, it doesn't delete all of them (e.g. HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_...)

It is not possible to securely delete the relevant registry entries without "going behind Windows' back" - not exactly recommended when working with kernel mode device drivers!

It should be noted that this applies equally to all disk encryption systems that support any kind of "portable mode".

Should it be a concern that an attacker may discover which FreeOTFE drivers were being used, it is suggested that you either:

  1. Change the filenames of the FreeOTFE drivers you will be using in portable mode (e.g. rename "FreeOTFECypherAES.sys" to "FreeOTFECypherTwofish.sys"). This will cause the data written to the registry to reflect this new filename, hopefully convincing an attacker that the driver used was a different one.
  2. If you only use one cypher and hash driver in portable mode, store a number (or all) of the other cypher/hash drivers with your "portable" version of FreeOTFE. Even if an attacker can determine which drivers you were using in portable mode, that attacker will not be able to determine which of the portable drivers you were actually using to encrypt/decrypt your data with.