[Cryptography] Rubber-hose resistance?

[Jerry Leichter]

> 
>>> Before you leave to return home, you need to delete all the confidential
>>> information from the laptop.  To ensure no trace of it remains on the
>>> disk, the simplest safe way I can imagine is this:
>>> 
>>> $ cat /dev/urandom >tmp1
>>> # Now wait until you run out of disk space.
> 
>> This of course may not do what you think on an SSD - which it probably is these days.
> 
> I was thinking specifically of SSDs, which is why I recommended doing this:
> 
>>> $ gpg --print-md sha256 tmp1
Then you don't understand how SSD's work.

The number of pages actually available inside the SSD may be - likely is - quite a bit larger than the size visible outside the device.  When you write a block, it goes on some page.  You don't know - there's no interface to find out - what page that block lies on.  If you write the same block again, it almost certainly ends up on some other page.  The old page goes into a "to be erased and reused later" list.

Just because you filled up every block does not mean the list of free pages is empty.  Nor does it mean those pages have been erased.

There is simply no way to know you've erased all the pages in an SSD using only the interface the device presents to you that makes it look like a disk.

> Filling the disk with zeroes might not actually do anything, since a
> long stream of zeroes might be compressed to just a length indicator
> followed by a single zero byte.  It would actually look like I have a
> 67GB file of zeroes when I do an "ls -l", but the SSD might be doing so
> much magic that it's not actually stored that way.
If you don't know enough about how the device you are trying to erase is organized internally to rule out or rule in such possibilities, you have no business claiming you have an effective erasure tool.  FYI, for an ordinary disk, this is very unlikely, as it would make "the amount of free space available on the disk" a meaningless number.

Someone else brought up more general compression and deduplication.  These are common for shared/remote file systems, rather less likely for local storage, where they make the interface much more complex and probably don't save all that much anyway.  Erasing something that is on a remote file system is generally pretty much impossible.  What if that system does remote mirroring?  Or some kind of more efficient redundant encoding?  Can you even get an accurate read of the physical size of the "disk" - think thin provisioning.

Ultimately it comes down to:  If you don't understand how the underlying system works, you shouldn't be asserting that a particular technique is "secure".  You just don't - can't - know.
                                                        -- Jerry