Re: PATCH - ext2fs privacy (i.e. secure deletion) patch

[Hans Reiser <reiser@namesys.com>]

Exactly right.

Hans

Jamie Lokier wrote:

>the grugq wrote:
>  
>
>>If, on the other hand, we have a threat model of, say, the police, then 
>>things are very different. In the UK, there is a law which requires you 
>>to turn over your encryption keys when the court demands them. The 
>>police have a tactic for extracting keys which involves physical 
>>violence and intimidation. These are very effective against encryption. 
>>    
>>
>
>This is how to implement secure deletion cryptographically:
>
>   - Each time a file is created, choose a random number.
>
>   - Encrypt the number with your filesystem key and store the
>     encrypted version in the inode.
>
>   - The number is used for encrypting that file.
>
>Secure deletion is then a matter of securely deleting the inode.
>The file data does not have to be overwritten.
>
>This is secure against many attacks that "secure deletion" by
>overwriting is weak against.  This includes electron microscopes
>looking at the data, and UK law.  (The police can demand your
>filesystem key, but nobody knows the random number that belonged to a
>new-deleted inode).
>
>There is a chance the electron microscope may recover the number from
>the securely deleted inode.  That is the weakness of this system,
>therefore the inode data should be very thoroughly erased or itself
>subject to careful cryptographic hding.
>
>-- Jamie
>-
>To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at  http://vger.kernel.org/majordomo-info.html
>Please read the FAQ at  http://www.tux.org/lkml/
>
>
>  
>