Re: PATCH - ext2fs privacy (i.e. secure deletion) patch

[Pavel Machek <pavel@ucw.cz>]

Hi!

> > As I now understand, you are proposing a file system which has per file 
> > encryption where the key is stored in the inode. The inode is then the 
> > only location with senstive data which needs to be removed.
> 
> Yes.
> 
> > Also, this proposal seems to me more related to how to implement an 
> > encrypted file system, than how to implement secure deletion on existing 
> > file systems.
> 
> Not really, this is pointing out an alternative means of secure
> deletion _if_ you have encryption.  The points I wanted to make were,
> most important first:
> 
>    - Overwriting data does not always do what you think it does.
>      Several block devices _do not_ overwrite the same storage blocks.
>      Thus it is dangerous to call something "secure deletion"
>      when it might not do anything at all.

But you have same vulnerability, crypto does not help here. If your
i-node happens to be put on other place, attacker still gets the key
intact etc.

There's not much you can do. [It may be even worse with that
crypto... If you kick the table while your top-secret .mpg.tgz collection
is accessed, you are likely to cause bad sector within i-node,
attacker can get the key, and decrypt it all. With on-place
overwriting he only gets one block.] 
								Pavel
-- 
When do you have a heart between your knees?
[Johanka's followup: and *two* hearts?]