[cryptography] secure deletion on SSDs (Re: Asynchronous forward secrecy encryption)

Nico Williams nico at cryptonector.com
Tue Sep 24 14:37:22 EDT 2013

On Tue, Sep 24, 2013 at 12:03:12AM +0200, Adam Back wrote:

[In response to the idea of using encrypted file hashes as part of the
key wrapping procedure...]

> Thats not bad (make the decryption dependant on accessibility of the entire
> file) nice as a design idea.  But that could be expensive in the sense that
> any time any block in the file changes, you have to re-encrypt the
> encryption or, more efficiently the key computed from the hash of
> the file. Still you have to re-write the header any time there is a
> block change,
> and do it atomically or log recoverably ideally.  Also you have re-read and
> hash the whole file to re-compute the xor sha(encrypted-file) header.  Well
> I guess even that is relatively fixable probably eg merkle hash of the
> blocks of the file instead plus a bit of memory cacheing.

You should want to do COW anyways.  If you use a Merkle hash tree then
the additional hashing is minimized.  You know, like ZFS.

Still, at the end of the day, if you can recover enough past blocks you
can recover deleted files.  Truly wiping anything requires being able to
at least wipe encryption keys (wrapped or otherwise), and since the
amount of truly wipeable storage is so limited... it's much harder to
support secure file deletion than secure filesystem/device wipe.  What
the OS could do is give you a smallish number of securely wipeable
containers, and you manage the rest from there.


More information about the cryptography mailing list