Use of a RAM Disk with Security Aspects

Why RAM Disk?

A RAM disk is a representation of a hard disk in Random Access Memory (RAM). Normally it is used, because it has a much better performance compared to a hard disk drive (HDD). But there are other aspects why it can be use - security. When we persist files on an HDD we must also ensure that they are securely deleted again, especially if they contain personal or secret data. It is necessary that they cannot be recovered or reconstructed. In the case of an HDD we have to overwrite the area, where the file is stored, with patterns several times. With the current generation, the Solid State Disks (SDD), possibilities and approaches are changing. These have their own logic to optimize their lifetime, secure deletion cannot be guaranteed so easily. From this point of view RAM disks seems very attractive, because when the computer is turned off, they lose their content - irrecoverable.

Why a RAM disk with RPA?

In some use cases it could be necessary to process data which are subject of the General Data Protection Regulation (GDPR). E.g. in an insurance company, which offers health care products, diagnostic data of individual persons may be processed, so that conclusions can be drawn about a person’s current state of health. This is a special category of personal data and are subject to a special protection. If this kind of data is persisted on the bot computer, in the context of RPA processing, it must be ensured that this also completely deleted again. There could be many more examples here now, e.g. from the area of financial institutions or the public sector. A RAM disk can be used for precisely these kinds of data processing, with a resulting need to finally complete delete this data at the end.

Which Decision Criteria can be used for a RAM Disk Product Selection?

General and specific criteria must be used to select a suitable product. Of course, this is a very individual process and it differs from company to company. From my perspective, two points seems particularly important:

  • Easy integration into the RPA platform, primarily via Application Programming Interface (API) or Command Line Interface (CLI).
  • Use without the need for administrative rights.

With these requirements I have examined various available RAM Disk products. Finally I was able to find an appropriate representative: SoftPerfect RAM Disk.

Why SoftPerfect RAM Disk?

  • Fully operable via Command Line Interface (CLI) via the console version ramdiskc.exe. This makes it very easy to integrate the creation and deletion of a RAM disk into an automation workflow.
  • Users, in our case the bot, without administrative privileges will be able to control the application and change its settings. Most of the RAM disks I tested require administrative rights. This means that the bot does not need administrative rights to configure and initialize the SoftPerfect RAM disk.
  • Allow to unmount RAM disks by choosing Eject in the disk’s context menu in Windows Explorer. With that Windows does not create the Recycle Bin directory by default. You can find more information about Recycle Bin here. This ensures that, if files are deleted, they cannot be recovered on the same way. Company policies must be used to ensure that these settings cannot be changed.
  • Possible to create fully isolated RAM disks in the local name space. This means it can not be shared in a network and it will not be visible to all users and all applications launched on the computer.
  • Very attractive pricing that does not overly burden scaling approaches from a cost perspective, which can be very important from an RPA perspective.

SoftPerfect RAM Disk offers very good prerequisites for the use in the context of RPA and also from a security perspective. Surely there will be other RAM disk products that do this, for my further considerations I focused on this product.

Installation of SoftPerfect RAM Disk

The manual installation is very simple. An automatic installation via a software distribution should not be more difficult. I used the following settings:

Settings_Win11

These settings bring the following entries:

  • In Windows registry
[HKEY_USERS\S-1-5-21-1992397702-4188073367-1061252064-1001\Software\SoftPerfect\RAM Disk\General]
"NoAutoLoad"="1"
"Language"="English"
  • In the file c:\ProgramData\SoftPerfect\RAM Disk\ramdisk.xml
<?xml version="1.0" encoding="utf-8"?>
<ramdisk>
  <config>
    <useraccess>true</useraccess>
    <locallinks>true</locallinks>
    <trayicon>false</trayicon>
    <license></license>
    <alloweject>true</alloweject>
    <renewalpopup>true</renewalpopup>
  </config>
  <mount/>
  <autorun/>
</ramdisk>

What do the individual tags mean?

  • useraccess = true
    Allow non-privileged users to modify settings: Users without administrative privileges can control the application and change the settings.
  • alloweject = true
    Allow users to eject removable RAM disks in Explorer: Users can unmount a RAM disk by choosing Eject item in the context menu of the disk in Windows Explorer.
  • locallinks = true
    Global drive letters for RAM volumes: The RAM disks will be registered in the local name space. So they will be not visible to all users and applications which launched on the computer and it can not be shared in a network. This option creates a fully isolated RAM disks.

This can also be read in the very well detailed help.

Use a RAM Disk

The use of a RAM disk is very simple.

Create a RAM Disk

To create a RAM disk we use three steps:
ramdiskc /add:R /fs:NTFS /size:64M /rem
mkdir R:\Dummy
cipher /E R:\Dummy
  • In the first step we create a RAM disk,
  • in the second step we create a directory on the RAM disk and
  • in the third step we encrypt the directory.

Destroy a RAM Disk

To destroy a RAM disk and to reboot the bot computer we use four steps:

rmdir R:\Dummy /s /q
cipher /w:R:
ramdiskc /del:R /force
shutdown /r
  • In the first step we delete the directory on the RAM disk,
  • in the second step we remove all data from available unused disk space on the entire volume,
  • in the third step we destroy the RAM disk and
  • in the fourth step we reboot the bot computer.

Encrypting the directory and rebooting the computer further minimizes the possibility of others accessing the data.

These steps can all be mapped in the same way in the UiPath workflow.

RAMDiskTest.xaml (8.2 KB)

Memory Encryption Technology

Memory encryption begins at the boot process, it will encrypt all data on between the RAM and the CPU. It is necessary to enable it in the system BIOS. With this step it is transparent and can be used with any operating system. An encryption key is generated during the boot process and a new key is generated with each boot process. The encryption key can not be manipulated or read. This kind of encryption protects against attacks that require physical access to the hardware. Encrypting different RAM areas with different keys enables an higher level of security, e.g. because VMs are totally isolated from each other. Proprietary code is required for this, which is integrated into the OS via the UEFI BIOS. Memory encryption technology offers us, also in the context of using a RAM disk, further interesting approaches to improving the security aspects.

Intel Total Memory Encryption (TME) and Multi-Key Total Memory Encryption (MKTME)

Advanced Micro Devices (AMD) Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV)

Conclusion

As far as I can say are RAM Disks a very interesting alternative against file persisting and securely deleting. All data are present in the RAM and should not be accessible after a reboot, but it can be accessed like a normal drive. With additional encryption, we make unauthorized access attempts more difficult. Encrypted files can be transported to the encrypted RAM disk, there they are decrypted and can be normal used. Additional transparent memory encryption technology is another “brick” to increase process security, in general and for RAM disks in particular. I assume that the attractiveness of RAM disks, which have rather fallen into oblivion, has increased in the context of RPA again.

Addendum - Check if RAM Disk Software is Available

To check whether the RAM disk software is available on the bot computer, the approach from the post to check if a program is installed could be use. This gives us a higher certainty that the process actually keeps the data in a RAM disk. Should the RAM disk not be available, we can stop the processing of the RPA workflow at this point with an error message.

Addendum - Different Versions

All my experiments I tried with Windows 10 in conjunction with UiPath 21.10.5 and with Windows 11 in conjunction with UiPath 22.4.3. Each of these combinations worked without any problems.

Addendum - Memory Dumps

To verify the effectiveness of encryption, of the Windows cipher software, I created complete memory dumps, which contains a copy of all physical memory (RAM), with targeted crashes of the system and dumps. The memory dump was searched for specific content, which was known. However, the analysis is anything but simple, because everything can be found in the memory. It is not possible for me to say with 100% certainty whether the data can be determined via a memory dump. As far as I can say, the via cipher software encrypted data could neither found in the dump nor in the binary format, but the unencrypted data was easy readable.

Addendum - Pagefile

Windows uses the pagefile to provide virtual memory, which is swapped to disk. It is possible that data in the pagefile is still available after a reboot. This article describes the resulting risks and how they can be mitigated: Windows pagefile security risks and how to avoid them. In my opinion is a good way to clearing the pagefile at shutdown. Open the Group Policy editor via gpedit.msc and configure it.

6 Likes