Re: PATCH - ext2fs privacy (i.e. secure deletion) patch

[Hans Reiser]

Exactly right.

Hans

Jamie Lokier wrote:

> the grugq wrote:
>  
>
> > If, on the other hand, we have a threat model of, say, the police, then 
> > things are very different. In the UK, there is a law which requires you 
> > to turn over your encryption keys when the court demands them. The 
> > police have a tactic for extracting keys which involves physical 
> > violence and intimidation. These are very effective against encryption. 
> >    
>
> This is how to implement secure deletion cryptographically:
>
>   - Each time a file is created, choose a random number.
>
>   - Encrypt the number with your filesystem key and store the
>     encrypted version in the inode.
>
>   - The number is used for encrypting that file.
>
> Secure deletion is then a matter of securely deleting the inode.
> The file data does not have to be overwritten.
>
> This is secure against many attacks that "secure deletion" by
> overwriting is weak against.  This includes electron microscopes
> looking at the data, and UK law.  (The police can demand your
> filesystem key, but nobody knows the random number that belonged to a
> new-deleted inode).
>
> There is a chance the electron microscope may recover the number from
> the securely deleted inode.  That is the weakness of this system,
> therefore the inode data should be very thoroughly erased or itself
> subject to careful cryptographic hding.
>
> -- Jamie
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>
>
>  

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/