[Cryptography] WIPEONFORK in Linux 4.14

Jerry Leichter leichter at lrw.com
Fri Nov 24 21:41:43 EST 2017

> Now if we could just get a "clean" file system that is guaranteed to erase all traces of a file when it is deleted -- not only the file contents, but also any metadata and old filenames stored in the directories.
> Yes, I know there are "secure delete" commands, but they're useless unless they can somehow be made the *default* behavior for all file operations.
VMS had this many years ago:  A volume (disk) could have the "erase on delete" property.  A file on such a volume would be erased by the file system regardless of how it came be be deleted.  Since the erasure was done as part of adding the blocks to the free list, if the system crashed before all the blocks were erased, they would get erased during the next mount operation as the equivalent of fsck cleaned up incomplete operations.

I don't know if the file names were erased, but because of the way VMS directories were organized - with all free space immediately pushed to the end of the block - this would have happened implicitly for most (but not all) files as file names after them were "slid over them".  I don't recall if the free space at the end was filled, but it may have been zeroed as a way to mark it as free - in which case all traces of deleted file names would be zapped.  (Because VMS directories were always kept sorted, the Unix trick of renaming the file to a random name of the same length would not have worked.)

I will note that this option wasn't used very much because it caused noticeable slowdowns.  Today's disks (and certainly SSD's) and CPU's are much faster - but today's files are much bigger, too.  I had a vague recollection that "erase on delete" could be turned on for individual files, but apparently not.

Of course, an easier solution is to encrypt all files with a file-specific key.  Zap the key and the data is effectively gone.  iOS has done something like this for a number of releases.  Android has the capability to do something similar, but it's not clear whether it's turned on by default now - when the capability was first released, it wasn't.
                                                        -- Jerry

More information about the cryptography mailing list