Re: PATCH - ext2fs privacy (i.e. secure deletion) patch

[Jamie Lokier]

the grugq wrote:
> If, on the other hand, we have a threat model of, say, the police, then 
> things are very different. In the UK, there is a law which requires you 
> to turn over your encryption keys when the court demands them. The 
> police have a tactic for extracting keys which involves physical 
> violence and intimidation. These are very effective against encryption. 

This is how to implement secure deletion cryptographically:

   - Each time a file is created, choose a random number.

   - Encrypt the number with your filesystem key and store the
     encrypted version in the inode.

   - The number is used for encrypting that file.

Secure deletion is then a matter of securely deleting the inode.
The file data does not have to be overwritten.

This is secure against many attacks that "secure deletion" by
overwriting is weak against.  This includes electron microscopes
looking at the data, and UK law.  (The police can demand your
filesystem key, but nobody knows the random number that belonged to a
new-deleted inode).

There is a chance the electron microscope may recover the number from
the securely deleted inode.  That is the weakness of this system,
therefore the inode data should be very thoroughly erased or itself
subject to careful cryptographic hding.

-- Jamie
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/