VeraCrypt

Documentation >> Security Requirements and Precautions >> Trim Operation

Trim Operation

Some storage devices (e.g., some solid-state drives, including USB flash drives) use so-called 'trim' operation to mark drive sectors as free e.g. when a file is deleted. Consequently, such sectors may contain unencrypted zeroes or other undefined data (unencrypted) even if they are located within a part of the drive that is encrypted by VeraCrypt.

On Windows, VeraCrypt allows users to control the trim operation for both non-system and system volumes: Under Linux, VeraCrypt does not block the trim operation on volumes using the native Linux kernel cryptographic services, which is the default setting. To block TRIM on Linux, users should either enable the "do not use kernel cryptographic services" option in VeraCrypt's Preferences (applicable only to volumes mounted afterward) or use the --mount-options=nokernelcrypto switch in the command line when mounting.

Under macOS, VeraCrypt does not support the trim operation. Therefore, trim is always blocked on all volumes.

In cases where trim operations occur, the adversary will be able to tell which sectors contain free space (and may be able to use this information for further analysis and attacks) and plausible deniability may be negatively affected. In order to avoid these issues, users should either disable trim in VeraCrypt settings as previously described or make sure VeraCrypt volumes are not located on drives that use the trim operation.

To find out whether a device uses the trim operation, please refer to documentation supplied with the device or contact the vendor/manufacturer.