Re: PATCH - ext2fs privacy (i.e. secure deletion) patch

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Jamie Lokier <jamie@shareable.org>
To: the grugq <grugq@hcunix.net>
Cc: Hans Reiser <reiser@namesys.com>,
	Valdis.Kletnieks@vt.edu, Pavel Machek <pavel@ucw.cz>,
	linux-kernel@vger.kernel.org
Subject: Re: PATCH - ext2fs privacy (i.e. secure deletion) patch
Date: Sat, 7 Feb 2004 10:47:12 +0000	[thread overview]
Message-ID: <20040207104712.GA16093@mail.shareable.org> (raw)
In-Reply-To: <4024B618.2070202@hcunix.net>

the grugq wrote:
> If, on the other hand, we have a threat model of, say, the police, then 
> things are very different. In the UK, there is a law which requires you 
> to turn over your encryption keys when the court demands them. The 
> police have a tactic for extracting keys which involves physical 
> violence and intimidation. These are very effective against encryption. 

This is how to implement secure deletion cryptographically:

   - Each time a file is created, choose a random number.

   - Encrypt the number with your filesystem key and store the
     encrypted version in the inode.

   - The number is used for encrypting that file.

Secure deletion is then a matter of securely deleting the inode.
The file data does not have to be overwritten.

This is secure against many attacks that "secure deletion" by
overwriting is weak against.  This includes electron microscopes
looking at the data, and UK law.  (The police can demand your
filesystem key, but nobody knows the random number that belonged to a
new-deleted inode).

There is a chance the electron microscope may recover the number from
the securely deleted inode.  That is the weakness of this system,
therefore the inode data should be very thoroughly erased or itself
subject to careful cryptographic hding.

-- Jamie

next prev parent reply	other threads:[~2004-02-07 10:47 UTC|newest]

Thread overview: 45+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-01-28 16:30 PATCH - ext2fs privacy (i.e. secure deletion) patch the grugq
2004-02-03 22:20 ` Pavel Machek
2004-02-04  0:33   ` the grugq
2004-02-04  0:43     ` Pavel Machek
2004-02-04  0:48       ` the grugq
2004-02-04  0:55         ` Pavel Machek
2004-02-04  0:58           ` the grugq
2004-02-04  1:10             ` Mike Fedyk
2004-02-04  6:29       ` Theodore Ts'o
2004-02-04 13:08         ` the grugq
2004-02-04 17:05           ` Bill Davidsen
2004-02-04 17:14             ` Valdis.Kletnieks
2004-02-04 23:47               ` Bill Davidsen
2004-02-04 23:51                 ` the grugq
2004-02-05  1:48                 ` the grugq
2004-02-05  4:38                 ` Valdis.Kletnieks
2004-02-07  3:30                   ` Bill Davidsen
2004-02-05  3:35               ` Theodore Ts'o
2004-02-06  0:00                 ` the grugq
2004-02-12 22:59         ` Robert White
2004-02-13  3:41           ` Jamie Lokier
2004-02-13 21:30             ` Robert White
2004-02-18  3:48             ` Bill Davidsen
2004-02-18  9:48               ` Jamie Lokier
2004-02-17 12:00           ` Pavel Machek
2004-02-04  3:20     ` Valdis.Kletnieks
2004-02-07  0:20       ` Jamie Lokier
2004-02-07  1:15         ` Hans Reiser
2004-02-07  1:29           ` the grugq
2004-02-07  5:40             ` Hans Reiser
2004-02-07  9:55               ` the grugq
2004-02-07 10:47                 ` Jamie Lokier [this message]
2004-02-07 11:02                   ` the grugq
2004-02-07 11:09                     ` Jamie Lokier
2004-02-07 11:46                       ` the grugq
2004-02-07 12:01                         ` Jamie Lokier
2004-02-07 16:52                           ` Hans Reiser
2004-02-07 17:22                           ` Pavel Machek
2004-02-08  0:04                             ` Jamie Lokier
2004-02-07 16:50                         ` Hans Reiser
2004-02-07 16:44                   ` Hans Reiser
2004-02-09 12:07                     ` Edward Shishkin
2004-02-10  7:18                       ` Hans Reiser
2004-02-07  2:17           ` Jamie Lokier
  -- strict thread matches above, loose matches on Subject: below --
2004-02-07  9:55 Albert Cahalan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20040207104712.GA16093@mail.shareable.org \
    --to=jamie@shareable.org \
    --cc=Valdis.Kletnieks@vt.edu \
    --cc=grugq@hcunix.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pavel@ucw.cz \
    --cc=reiser@namesys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox