Is my data safe if, with an encrypted hard disk, I put Windows in "sleep" mode

For virtually all disk encryption tools, your encryption key will be stored in RAM while the computer is in use or in sleep mode. This of course presents a fairly significant vulnerability, because if someone can dump the contents of your RAM while keeping its contents intact, it is likely they can extract the key from the RAM dump using widely available commercial software such as Elcomsoft Forensic Disk Decryptor which claims to extract Truecrypt, Bitlocker, and PGP keys.

To protect yourself against this, you'll have to make it harder for an attacker to obtain a RAM dump. The easiest way to obtain a RAM dump is by using software programs that come with many forensics toolkits (which are also freely available). However, the catch is that in order to run these programs, they would first have to unlock your computer. If they can't unlock your computer to run programs, they can't launch any RAM dump utilities. For this reason, having a strong Windows lock screen password is important!

(Also, just to be realistic and state the obvious, the lock screen password is also important because if an attacker is able to guess it, they could just grab a copy of your files right then and there and not even worry about finding your encryption key. For a run-of-the-mill thief interested in obtaining your data, this would probably be the most realistic threat IMO)

A more sophisticated way is to use a cold boot attack; this takes advantage of the fact that contents of memory will remain there for some time (from a few seconds to a few hours if the RAM is cooled with a refrigerant) even after power is turned off. The attacker can then bypass Windows and boot into a RAM dump utility or physically move the RAM to a different machine for reading. This kind of attack significantly harder to protect against.

Lastly I'd also mention that development of Truecrypt stopped a year ago for unknown reasons and it is no longer supported, so I would recommend moving to one of its forks such as Veracrypt.


An attacker could perform what's known as a "cold boot" attack. Sleep mode keeps all the contents of memory active, and the key for your truecrypt volume is stored in memory. The memory contents persist longer without power when the memory is cold. All an attacker has to do is cool down the computer (say by putting it in a freezer), and reboot the machine with a specially crafted OS that can read the contents of memory and look for the key.

The sophistication of this attack only relies on the tools, which only need be written once and could then be utilized by anyone with a freezer and a USB stick. I don't know if easy use tools currently exist to exploit TrueCrypt via a coldboot, but it likely wouldn't be terribly hard to write. In general attacks like this that rely on automation only become easier with time, and filter down into lower and lower skilled attackers.


If you don't have to reenter your TrueCrypt password, then Windows still has access to the contents of the TrueCrypt volume. An attacker would only have to guess the Windows password to access your data while you are at lunch.

TrueCrypt (or any other disk encryption) will only protect the data from being copied straight from the disk itself, not access through the OS. (The common example is a stolen hard drive or a powered-down laptop.)