The OS caches the data read from a file after it's been decrypted by CBFS Filter. How do I prevent this?
Version 2024 update
When you implement encryption of files using file isolation, the cache of isolated handles is private to those handles, and the issue doesn't occur.
Original answer
The original answer applies to versions 2022 and earlier, where isolation is not present.
A file data cache is always used by the OS and its filesystem manager. You can't disable it or prevent the data from being placed into the cache.
Before an application can read any data from a file (and the file is identified by the open handle), it must open this file to obtain a file handle. If the file is not opened by an application, it cannot be read by said application, even if another application has opened the file.
So, if you prevent an application from opening a file, you will also prevent said application from reading the data of the file. The cache itself is protected from access by user mode applications; it can only be read from by kernel mode drivers.
Within Windows, the only way to to have the data encrypted until it reaches the intended application is to have the application itself encrypt or decrypt the data and to keep only the decrypted data in nonpaged memory.
We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@callback.com.