From kragen@dnaco.net Tue Jul 28 09:42:25 1998 -0400 Date: Tue, 28 Jul 1998 09:42:25 -0400 (EDT) From: Kragen To: tburgess@eddie.cis.uoguelph.ca Subject: Secure rm Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Keywords: X-UID: 783 Status: O X-Status: There's a rather good paper by Peter Gutmann (IIRC) on the difficulty of securely deleting data. If your threat model includes the possibility of an adversary stealing the disk on which the data had been stored, overwriting data is likely to be insufficient: - overwriting it fewer than seven times still leaves significant differences in magnetic strength from which the original data can be recovered; - when overwriting the bits, the timing of the new bits will be slightly offset from the old bits, so even if the field of the original bits would not be reliably detectable by itself, it may be possible to find the level transitions from the original bits if they were recorded significantly earlier or later in the disk's rotation than the new ones; - when overwriting the data, the distance from the head to the center of the disk will be slightly different from what it was when the data was originally written -- so the inside or outside edge of the original data track may survive unscathed. Worse, the "drift" of the head positioning is systematic, not random, and so overwriting several times is likely to overwrite in the same place. And, of course, there's the possibility that the data you're trying to overwrite may also survive elsewhere -- in swap space, or in a previous copy on the disk in a different place. (I don't know whether ext2fs actually spontaneously moves data around or not. My impression was "not". Some other filesystems (e.g., log-structured filesystems, WAFL) do.) I assume you already know this. If your threat model includes the possibility of your attacker gaining read access to the raw disk (by cracking root on the Linux machine in which the disk is?) but not gaining *physical* access to the disk (so they can take it apart and look at it under an electron microscope), overwriting the data may be useful. Kragen