From: Edward Shishkin <edward@namesys.com>
To: Hans Reiser <reiser@namesys.com>, Jamie Lokier <jamie@shareable.org>
Cc: the grugq <grugq@hcunix.net>,
Valdis.Kletnieks@vt.edu, Pavel Machek <pavel@ucw.cz>,
linux-kernel@vger.kernel.org
Subject: Re: PATCH - ext2fs privacy (i.e. secure deletion) patch
Date: Mon, 09 Feb 2004 15:07:35 +0300 [thread overview]
Message-ID: <40277807.6787981A@namesys.com> (raw)
In-Reply-To: 40251601.6050304@namesys.com
Hans Reiser wrote:
>
> Exactly right.
>
> Hans
>
> Jamie Lokier wrote:
>
> >the grugq wrote:
> >
> >
> >>If, on the other hand, we have a threat model of, say, the police, then
> >>things are very different. In the UK, there is a law which requires you
> >>to turn over your encryption keys when the court demands them. The
> >>police have a tactic for extracting keys which involves physical
> >>violence and intimidation. These are very effective against encryption.
> >>
> >>
> >
> >This is how to implement secure deletion cryptographically:
> >
> > - Each time a file is created, choose a random number.
> >
> > - Encrypt the number with your filesystem key and store the
> > encrypted version in the inode.
> >
> > - The number is used for encrypting that file.
> >
> >Secure deletion is then a matter of securely deleting the inode.
> >The file data does not have to be overwritten.
> >
> >This is secure against many attacks that "secure deletion" by
> >overwriting is weak against. This includes electron microscopes
> >looking at the data, and UK law. (The police can demand your
> >filesystem key, but nobody knows the random number that belonged to a
> >new-deleted inode).
Also they will demand this random number since the court can consider it
as a part of your secret key. So just delete your secret key without creating
meaningless infrastructure ;)
Edward.
> >
> >There is a chance the electron microscope may recover the number from
> >the securely deleted inode. That is the weakness of this system,
> >therefore the inode data should be very thoroughly erased or itself
> >subject to careful cryptographic hding.
> >
> >-- Jamie
> >-
> >To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> >the body of a message to majordomo@vger.kernel.org
> >More majordomo info at http://vger.kernel.org/majordomo-info.html
> >Please read the FAQ at http://www.tux.org/lkml/
> >
> >
> >
> >
next prev parent reply other threads:[~2004-02-09 12:07 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-01-28 16:30 PATCH - ext2fs privacy (i.e. secure deletion) patch the grugq
2004-02-03 22:20 ` Pavel Machek
2004-02-04 0:33 ` the grugq
2004-02-04 0:43 ` Pavel Machek
2004-02-04 0:48 ` the grugq
2004-02-04 0:55 ` Pavel Machek
2004-02-04 0:58 ` the grugq
2004-02-04 1:10 ` Mike Fedyk
2004-02-04 6:29 ` Theodore Ts'o
2004-02-04 13:08 ` the grugq
2004-02-04 17:05 ` Bill Davidsen
2004-02-04 17:14 ` Valdis.Kletnieks
2004-02-04 23:47 ` Bill Davidsen
2004-02-04 23:51 ` the grugq
2004-02-05 1:48 ` the grugq
2004-02-05 4:38 ` Valdis.Kletnieks
2004-02-07 3:30 ` Bill Davidsen
2004-02-05 3:35 ` Theodore Ts'o
2004-02-06 0:00 ` the grugq
2004-02-12 22:59 ` Robert White
2004-02-13 3:41 ` Jamie Lokier
2004-02-13 21:30 ` Robert White
2004-02-18 3:48 ` Bill Davidsen
2004-02-18 9:48 ` Jamie Lokier
2004-02-17 12:00 ` Pavel Machek
2004-02-04 3:20 ` Valdis.Kletnieks
2004-02-07 0:20 ` Jamie Lokier
2004-02-07 1:15 ` Hans Reiser
2004-02-07 1:29 ` the grugq
2004-02-07 5:40 ` Hans Reiser
2004-02-07 9:55 ` the grugq
2004-02-07 10:47 ` Jamie Lokier
2004-02-07 11:02 ` the grugq
2004-02-07 11:09 ` Jamie Lokier
2004-02-07 11:46 ` the grugq
2004-02-07 12:01 ` Jamie Lokier
2004-02-07 16:52 ` Hans Reiser
2004-02-07 17:22 ` Pavel Machek
2004-02-08 0:04 ` Jamie Lokier
2004-02-07 16:50 ` Hans Reiser
2004-02-07 16:44 ` Hans Reiser
2004-02-09 12:07 ` Edward Shishkin [this message]
2004-02-10 7:18 ` Hans Reiser
2004-02-07 2:17 ` Jamie Lokier
-- strict thread matches above, loose matches on Subject: below --
2004-02-07 9:55 Albert Cahalan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40277807.6787981A@namesys.com \
--to=edward@namesys.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=grugq@hcunix.net \
--cc=jamie@shareable.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pavel@ucw.cz \
--cc=reiser@namesys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox