[Cryptography] WIPEONFORK in Linux 4.14

Nico Williams nico at cryptonector.com
Fri Nov 24 16:16:43 EST 2017

On Fri, Nov 24, 2017 at 07:54:07AM -0800, Henry Baker wrote:
> Now if we could just get a "clean" file system that is guaranteed to
> erase all traces of a file when it is deleted -- not only the file
> contents, but also any metadata and old filenames stored in the
> directories.

You can't get this without support from the device.  There's no way to
guarantee that an overwrite is an overwrite, or that there's no trace
left of the original.

It's better instead to have per-file encryption keys, then you can
forget those.  Of course, those keys have to be stored encrypted in some
other, master key, and since this all would go on disk... this doesn't
help all that much either as it's turtles all the way down (up), and so
eventually for secure deletion via decryption-key-forgetting you have to
actually change a master key and humanly forget the passphrase it was
derived from.

> Yes, I know there are "secure delete" commands, but they're useless
> unless they can somehow be made the *default* behavior for all file
> operations.

They don't work anyways.

Truly deleting data is *really* hard.


More information about the cryptography mailing list