[cryptography] Deleting data on a flash?

Trevor Perrin trevp at trevp.net
Mon Sep 23 15:57:07 EDT 2013

On Mon, Sep 23, 2013 at 1:25 AM, Adam Back <adam at cypherspace.org> wrote:
> For wear-leveling its more tricky, but it I think the trick to deletion
> would be to delete and temporarily fill the disk - even wear leveling has to
> delete then.

Reardon et al have some good analysis of this [1,2].  They propose
keeping the SSD close to capacity, then periodically filling it to
reclaim (thus clear) blocks with remnant data.

> Also it seems to me that SSD drive manufacturers ought to have a special
> deletable NVRAM for key storage.  Its not exactly an unknown problem, would
> allow instant secure deletion.

TPMs can be used on some systems to store an eraseable key that
encrypts other data - Pond is doing this [4].

Also, encrypted flash file systems can (should?) be designed to
encrypt data blocks with keys stored in blocks which are copied and
cleared periodically.  This would achieve good "deletion latency"
without having to clear every block of a deleted file [3].

> Apparently or so I've heard claim SSDs also offer lower level APIs to
> actually wipe physical (not logically wear-level mapped) cells, to reliably
> wipe working cells.

Another question is whether SSDs offer low-level APIs to *read*
physical blocks.  To the extent they don't, forward secrecy is
obtainable against a "malware" attacker, even if not against a
physical attacker.


[1] http://www.syssec.ethz.ch/people/reardonj/asiaccs12
[2] http://www.syssec.ethz.ch/people/reardonj/sok
[3] http://www.syssec.ethz.ch/people/reardonj/usenix2012
[4] https://pond.imperialviolet.org/tech.html

More information about the cryptography mailing list