From: Jamie Lokier <jamie@shareable.org>
To: Pavel Machek <pavel@ucw.cz>
Cc: the grugq <grugq@hcunix.net>, Hans Reiser <reiser@namesys.com>,
Valdis.Kletnieks@vt.edu, linux-kernel@vger.kernel.org
Subject: Re: PATCH - ext2fs privacy (i.e. secure deletion) patch
Date: Sun, 8 Feb 2004 00:04:48 +0000 [thread overview]
Message-ID: <20040208000448.GA18936@mail.shareable.org> (raw)
In-Reply-To: <20040207172222.GA318@elf.ucw.cz>
Pavel Machek wrote:
> > - Overwriting data does not always do what you think it does.
> > Several block devices _do not_ overwrite the same storage blocks.
> > Thus it is dangerous to call something "secure deletion"
> > when it might not do anything at all.
>
> But you have same vulnerability, crypto does not help here. If your
> i-node happens to be put on other place, attacker still gets the key
> intact etc.
Yes, you're right. I wanted to draw attention to the fact that ext2's
"secure deletion" attribute, when implemented, can be misleading. I
should have pointed out that an inode-private key has the same weakness.
> There's not much you can do. [It may be even worse with that
> crypto... If you kick the table while your top-secret .mpg.tgz collection
> is accessed, you are likely to cause bad sector within i-node,
> attacker can get the key, and decrypt it all. With on-place
> overwriting he only gets one block.]
There is something which can help:
First, the idea of an inode private key, which is itself encrypted by
a whole filesystem key, may be seen as a two level tree structure (the
filesystem key is its root). You can also have deeper key structures.
The important thing is that without the root key, you cannot follow
any path to the tree's branches. The key tree does not have to be the
same as the directory tree, in fact it's better if it isn't, so you
can keep the key tree balanced.
You can regularly change branch keys within the filesystem, updating
all the dependent keys when that's done. That can be done
incrementally, as you make changes to the flesystem. So for example,
whenever you want to erase an inode (secure deletion), you need to
modify its parent key in the key tree and re-encrypt all the inode
key's siblings with the new parent key. Repeat all the way to the
root.
If you do those updates every time, then you confine the "snapshotting
block device" weakness to the problem of destroying old versions of
the root key - for which you should insist on choosing an appropriate
device. You might also use multiple root keys, so that a single
remapped block on a hard disk which is used to hold the root key(s) is
not enough to decrypt old versions of the filesystem.
-- Jamie
next prev parent reply other threads:[~2004-02-08 0:04 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-01-28 16:30 PATCH - ext2fs privacy (i.e. secure deletion) patch the grugq
2004-02-03 22:20 ` Pavel Machek
2004-02-04 0:33 ` the grugq
2004-02-04 0:43 ` Pavel Machek
2004-02-04 0:48 ` the grugq
2004-02-04 0:55 ` Pavel Machek
2004-02-04 0:58 ` the grugq
2004-02-04 1:10 ` Mike Fedyk
2004-02-04 6:29 ` Theodore Ts'o
2004-02-04 13:08 ` the grugq
2004-02-04 17:05 ` Bill Davidsen
2004-02-04 17:14 ` Valdis.Kletnieks
2004-02-04 23:47 ` Bill Davidsen
2004-02-04 23:51 ` the grugq
2004-02-05 1:48 ` the grugq
2004-02-05 4:38 ` Valdis.Kletnieks
2004-02-07 3:30 ` Bill Davidsen
2004-02-05 3:35 ` Theodore Ts'o
2004-02-06 0:00 ` the grugq
2004-02-12 22:59 ` Robert White
2004-02-13 3:41 ` Jamie Lokier
2004-02-13 21:30 ` Robert White
2004-02-18 3:48 ` Bill Davidsen
2004-02-18 9:48 ` Jamie Lokier
2004-02-17 12:00 ` Pavel Machek
2004-02-04 3:20 ` Valdis.Kletnieks
2004-02-07 0:20 ` Jamie Lokier
2004-02-07 1:15 ` Hans Reiser
2004-02-07 1:29 ` the grugq
2004-02-07 5:40 ` Hans Reiser
2004-02-07 9:55 ` the grugq
2004-02-07 10:47 ` Jamie Lokier
2004-02-07 11:02 ` the grugq
2004-02-07 11:09 ` Jamie Lokier
2004-02-07 11:46 ` the grugq
2004-02-07 12:01 ` Jamie Lokier
2004-02-07 16:52 ` Hans Reiser
2004-02-07 17:22 ` Pavel Machek
2004-02-08 0:04 ` Jamie Lokier [this message]
2004-02-07 16:50 ` Hans Reiser
2004-02-07 16:44 ` Hans Reiser
2004-02-09 12:07 ` Edward Shishkin
2004-02-10 7:18 ` Hans Reiser
2004-02-07 2:17 ` Jamie Lokier
-- strict thread matches above, loose matches on Subject: below --
2004-02-07 9:55 Albert Cahalan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040208000448.GA18936@mail.shareable.org \
--to=jamie@shareable.org \
--cc=Valdis.Kletnieks@vt.edu \
--cc=grugq@hcunix.net \
--cc=linux-kernel@vger.kernel.org \
--cc=pavel@ucw.cz \
--cc=reiser@namesys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox