Some storage devices (e.g., some solid-state drives, including USB flash drives) use so-called 'trim' operation to mark drive sectors as free e.g. when a file is deleted. Consequently, such sectors may contain unencrypted zeroes or other undefined data (unencrypted)
even if they are located within a part of the drive that is encrypted by VeraCrypt.
On Windows, VeraCrypt allows users to control the trim operation for both non-system and system volumes:
- For non-system volumes, trim is blocked by default. Users can enable trim through VeraCrypt's interface by navigating to "Settings -> Performance/Driver Configuration" and checking the option "Allow TRIM command for non-system SSD partition/drive."
- For system encryption, trim is enabled by default (unless a hidden operating system is running). Users can disable trim by navigating to "System -> Settings" and checking the option "Block TRIM command on system partition/drive."
Under Linux, VeraCrypt does not block the trim operation on volumes using the native Linux kernel cryptographic services, which is the default setting. To block TRIM on Linux, users should either enable the "do not use kernel cryptographic services" option in VeraCrypt's Preferences (applicable only to volumes mounted afterward) or use the
--mount-options=nokernelcrypto
switch in the command line when mounting.
Under macOS, VeraCrypt does not support the trim operation. Therefore, trim is always blocked on all volumes.
In cases where trim operations occur, the adversary will be able to tell which sectors contain free space (and may be able to use this information for
further analysis and attacks) and
plausible deniability may be negatively affected. In order to avoid these issues, users should either disable trim in VeraCrypt settings as previously described or make sure VeraCrypt volumes are not located on drives that use the trim operation.
To find out whether a device uses the trim operation, please refer to documentation supplied with the device or contact the vendor/manufacturer.