[cryptography] secure deletion on SSDs (Re: Asynchronous forward secrecy encryption)

ianG iang at iang.org
Tue Sep 24 05:23:57 EDT 2013

On 24/09/13 11:36 AM, Michael Rogers wrote:
> Hash: SHA1
> On 24/09/13 00:18, Adam Back wrote:
>> On Mon, Sep 23, 2013 at 01:39:35PM +0100, Michael Rogers wrote:
>>> Apple came within a whisker of solving the problem in iOS by
>>> creating an 'effaceable storage' area within the flash storage,
>>> which bypasses block remapping and can be deleted securely.
>>> However, iOS only uses the effaceable storage for resetting the
>>> entire device (by deleting the key that encrypts the user's
>>> filesystem), not for securely deleting individual files.
>> Hmm well thats interesting no?  With the ability to securely
>> delete a single key you can probably use that to selectively delete
>> files with an appropriate key management structure.  eg without
>> optimizing that, you could have a table of per file keys, encrypted
>> with the master key.  To delete a given file you'd re-encrypt
>> everything in the file table to a new key, except the deleted file,
>> and delete, then over-rewrite this "effaceable storage" area.
> Yes, absolutely, that's what makes it so frustrating - they already
> have per-file encryption keys with user-selectable key management
> policies and a hierarchy of keybags - adding a policy for efficient
> secure deletion would be a small amount of work. But it's work that
> would have to be done by Apple, not in userland.

Right.  Reading this, as posted by Michael Rogers:


Android's offering is a mess.  Here's the clue:

"Instead of introducing yet another Android-specific API, key store 
access is exposed via standard JCE APIs, namely KeyGenerator and KeyStore."

Plonk.  A mess of corporate/proprietary accesses that aren't guaranteed 
compatible nor reliable nor secure across platforms/releases, and 
provide only a bare minimum idea some long-dead designer seemed keen on. 
  Ug, it's back to the 1990s, when every BigCorp imagines they can 
create the secure platform for everyone else's corporate lemmings.

I don't expect Apple to be able to solve this mess, as they are also 
subject to competing interests within (cf 'effaceable storage' only for 
their own purposes).  They'll likely do a much better job than Android 
because they are vertically integrated and care more, but that doesn't 
mean they can solve it.

I feel like we're on our own.  Which means that notions like Shamir 
Secret Sharing have more credence than I'd like, I'd ordinarily run a 
mile from such exotica.

On 23/09/13 15:39 PM, Michael Rogers wrote:
 > On 23/09/13 05:12, Dev Random wrote:
 >> So, I submit that PFS in [ed: STUFF] is impossible without help
 >> from some kind of ephemeral, yet persistent storage.  A possible
 >> solution might be to store a portion of the key material (through
 >> Shamir's secret sharing) on servers that you partially trust.
 > Sounds like a great idea, especially in combination with a panic
 > button or dead man's switch feature that alerts the servers to delete
 > their shares.

Yes, enticing thoughts!


More information about the cryptography mailing list