Securely deleting files from ext4 filesystems [LWN.net]

By Jonathan Corbet
October 11, 2011

Deleting a file is sufficient to make it go away as far as the directory structure is concerned; that important, not-backed-up document is gone before the careless user has even removed a repentant finger from the "enter" key. On the underlying storage device, though, parts or all of the doomed file can live on indefinitely. A suitably determined person can often recover data from a file that was thought to be deleted and gone. In some situations, this persistence of data can be most unwelcome. Paper shredders exist for situations where recovery of a "deleted" paper document is undesirable; there is clear value in a similar functionality for filesystem-based files.

A look at the chattr man page indicates that "secure delete" functionality can be enabled for a file by setting the right attribute flag. The only problem is that most filesystems do not actually honor that flag; it's a sort of empty security theater. Even the TSA does a better job. The ext4 secure delete patch set from Allison Henderson may fill that particular gap for the ext4 filesystem, but a few things will need to be fixed up first.

The core part of the patch is relatively straightforward: if part or all of a file is being deleted, the relevant blocks will be overwritten synchronously as part of the operation. By default, the blocks are overwritten with zeroes, but there is an option to use random bytes from the kernel's entropy pool instead. A bit of care must be taken when the file involved contains holes - it wouldn't do to overwrite blocks that don't exist. There is also some logic to take advantage of the "secure discard" feature supported by some devices (solid-state disks, primarily) if that feature is available. Secure discard handles the deletion internally to the device - perhaps just by marking the relevant blocks unreadable until something else overwrites them - eliminating the need to perform extra I/O from the kernel.

The job does not stop there, though. The very existence of the file - or information contained in its name - could be sensitive as well. So the secure delete code must also clear out the directory entry associated with the file (if it is being deleted, as opposed to just truncated, obviously). Associated metadata - extended attributes, access control lists, etc - must also be cleaned out in this way.

Then there is the little issue of the journal. At any given time, the journal could contain any number of blocks from the deleted file, possibly in several versions. Clearly, sanitizing the journal is also required, but it must be done carefully: clearing journal blocks before the associated transaction has been committed could result in a corrupted filesystem and/or the inability to recover properly from a crash. So the first thing that must happen is a synchronous journal flush.

Once any outstanding transactions have been cleared, the (now old and unneeded) data in the journal can be cleaned up. The only problem is that the journal does not maintain any association between its internal blocks and the files they belong to in the filesystem. The patch addresses that problem by adding a new data structure mapping between journal blocks and file blocks; the secure deletion code then traverses that structure in search of blocks in need of overwriting.

The journal cleanup code drew some complaints from developers; the first problem is that directory and metadata blocks are not cleared from the journal. The deeper complaint, though, was that it represented an excessive mixing of the two layers; the filesystem really should not have an overly deep understanding of how the journal works. The end result is that some of this cleanup work is likely to move into the jbd2 journaling layer; as an added benefit, other filesystems should then be able to take advantage of it as well.

Darrick Wong also pointed out that this block mapping is not, itself, written to the journal; if the system were to crash before the journal could be cleaned, that cleanup would not happen after a reboot. He suggested that filesystems should mark blocks in need of secure deletion when they are first added to a journal transaction; the journal code could take care of things from then on. It seems like a cleaner solution, but there is, naturally, a catch.

That catch is that there is no way to create a file with the "secure delete" attribute set; that attribute must be added after the fact. One would assume that users would ask for secure delete before actually writing any data to the file, but associated information (the file name, for example) must exist before the file can be so marked. So the journal may well contain blocks for "secure delete" files that will not be marked for overwriting. There is no way to fix that within the existing POSIX API.

Darrick suggested a few ways to deal with this problem. One is to just give up and tell developers that, if even the name of the file is important, they should create that file under a temporary name, set the "secure delete" attribute, then rename the file to its real name. An alternative would be to mark the blocks for all newly-created files as needing overwriting; that would eliminate the race to get the attribute set at the cost of slowing down all file creation operations. Or, he said, the journal could track the mapping between blocks and files, much as Allison's patch does. One other option would be to mark the entire filesystem as needing secure delete; that feature, evidently, is already in the works, but enabling it will have an obvious performance cost.

The end result is that there are a few details to be worked out yet. The feature seems useful, though, for users who are concerned about data from their files hanging around after the files themselves have been deleted. Perhaps, around the 3.3 kernel or thereafter, "chattr +s" on ext4 will be more than bad security theater.

(Log in to post comments)

Securely deleting files from ext4 filesystems

Posted Oct 13, 2011 4:08 UTC (Thu) by idupree (subscriber, #71169) [Link]

Do you have more information on AegisFS? I could tell from your link and Google that it's a FUSE filesystem that cryptographically hides data, and that it has an (unrelated?) affinity with .zip files. If the documentation doesn't say it does everything that this ext4 secure-delete feature does for you, then it probably doesn't.

This deletion feature already goes beyond what you get from using either of two popular Linux crypto filesystems:

If you use LUKS/dm-crypt and you "rm" a file. If you securely delete it then no one can ever read it (except by physical surgery on the hard drive or other copies of the data). If you plainly delete it, the data persists, and if someone breaks your encryption* then they might still be able to read it. (*via live system compromise, or someone guessing your encryption password, or your mind having a fit of remorse (or coercion) and wanting to read the data even though your company or past self wanted it deleted, etc.)

If you use eCryptfs, it currently doesn't even attempt to hide the filenames. ( http://ecryptfs.sourceforge.net/ecryptfs-faq.html#filenam... ). This article's secure delete does attempt to delete the filenames. I don't see anything about secure deletion in this eCryptfs FAQ either, so relying on eCryptfs may also have the same risks I described under LUKS/dm-crypt.

Even a single pass of overwriting with zeroes, even on a drive with sector remapping, would prevent casual electronic attacks: someone would have to physically obtain and open the drive to get the data out. (Or the drive could have firmware bugs. Alas. Is this common?) Neither layers that stack under the filesystem (dm-crypt) or over (eCryptfs; maybe AegisFS) quite have the ability to make a file impossible for root-with-all-the-passwords to access again (well, dm-crypt can do it by removing the whole filesystem at once...).

Securely deleting files from ext4 filesystems

Posted Oct 13, 2011 4:29 UTC (Thu) by idupree (subscriber, #71169) [Link]

Actually, perhaps eCryptfs allows encrypting filenames now; that FAQ looks out of date. I am trying to find if there is a current, authoritative or thorough, source of documentation.

Securely deleting files from ext4 filesystems

Posted Oct 13, 2011 16:58 UTC (Thu) by bronson (subscriber, #4806) [Link]

Maybe the FAQ meant "shared encryption of filenames is a planned feature?"

Filenames are definitely encrypted:

6iunrlZi-dPSMlPILVYHNzf6  hmHIsA,bJvYNyeZHLfsymDqJ  w-n3rfYuKwJ-tzutdvQFHptg
aMZxjk4YBpJ9RduR24WILNZL  JwXaP3iCGg6qnvRy,tACFneM  wyLevtLXq4lPaJ6lQY42TO2b
atquOpNlClvXb-ebMwIN2Unq  ObCNzE4DugID75tRzXh9nw-x  XhpFHg8UPto8c8GbAitAgcnN
dy3BqGdPF,IZxDIZY9Flvg96  WjwZb6kosJEaMepnDYuJKmat  yYAxEsFk-33ftNf5c97exIwU

File sizes and directory structure, however, are not. They can still leak a fair amount of information. For me that's no big deal... I don't mind too much if someone figures out where I store my financial documents as long as they can't read the names and numbers.

Securely deleting files from ext4 filesystems

Posted Oct 13, 2011 5:02 UTC (Thu) by lemmings (subscriber, #53618) [Link]

Unfortunately there is not much in the way of docs available. The source code is at:

http://meego.gitorious.org/meego-platform-security/aegis-...

ecryptfs could work great for applications with a little bit of magic to provide a C library which would mount a ecryptfs directory into the process's name space (using unshare(2)). Would need to figure out how to do key management though.. Not sure if there is a freedesktop.org standard yet..

Securely deleting files from ext4 filesystems

Posted Oct 13, 2011 7:09 UTC (Thu) by djwong (subscriber, #23506) [Link]

The use of the adverb "securely" is a bit unfortunate. As you point out, ext4 can't control the behavior of the underlying hardware, which means that it can't guarantee that the deletion is actually secure. You might have a SCSI bus analyzer that records every write sent to the drive, in which case ext4 tells you that the deletion is "secure" ... but someone else can easily reconstruct the file.

A better name would be "make this file difficult to recover or undelete at the /dev/sdX block device interface level" delete, but that's clunky. I suspect that this attribute is sort of an opposite to chattr +u, if you will.

What about shred(1)?

Posted Oct 13, 2011 6:56 UTC (Thu) by djwong (subscriber, #23506) [Link]

That depends -- if only the file contents are precious, then shred will securely wipe the data blocks, since with the default mount options, file data doesn't go through the journal. If you're using data=journal mode, you can always write $JOURNAL_SIZE amount of data to fill up the journal thereby overwriting anything that was in it. If, however, the metadata was also precious, then yes, shred alone might not have been sufficient. Though it isn't difficult to change most of the fields in an inode/extent tree/attributes from userspace.

What about shred(1)?

Posted Oct 13, 2011 7:34 UTC (Thu) by lemmings (subscriber, #53618) [Link]

Yes and no.

With a magnetic hard disk, the writes from shred will overwrite the sectors which contain the data. There is a risk though of copies of the data being left on the platter in the event of bad sector remapping though.

With a SSD, the writes from shred will be to new flash segments. With flash memory, erases and writes are separate operations. A SSD keeps a number of pre-erased segments around which are used to hold new writes whilst the old segments are erased in the background.

At a higher level, depending on what applications manipulate the data, you may also have to watch out for deleted temporary copies of your file. A FS defiling tool (or at a minimum dd if=/dev/zero of=crud; shred -u crud) can help remove those traces.

What about shred(1)?

Posted Oct 13, 2011 8:57 UTC (Thu) by michaeljt (subscriber, #39183) [Link]

> A FS defiling tool (or at a minimum dd if=/dev/zero of=crud; shred -u crud) can help remove those traces.

Even better if that is build deeper into the filesystem, especially so that it can use the build-in capabilities of SSD drives. Or then again, perhaps not - from the article, "Secure discard handles the deletion internally to the device - perhaps just by marking the relevant blocks unreadable until something else overwrites them - eliminating the need to perform extra I/O from the kernel." Doesn't sound quite as safe as immediately overwriting the space.

What about shred(1)?

Posted Oct 14, 2011 2:41 UTC (Fri) by zlynx (subscriber, #2285) [Link]

An SSD might not securely delete the contents when requested.

On the other hand, it will almost certainly not delete the data if you attempt to delete by overwriting, because of wear leveling.

So going with secure delete/TRIM which will probably work, against overwriting which will probably not work, the choice is clear.

What about shred(1)?

Posted Oct 14, 2011 3:02 UTC (Fri) by raven667 (subscriber, #5198) [Link]

The choice is clear, yes, use full-disk encryption...Tools like shred are probably not worth your time.

key management

Posted Oct 17, 2011 14:19 UTC (Mon) by jpnp (subscriber, #63341) [Link]

So now you've exchanged a media wiping problem for a key management problem, hardly a panacea.

key management

Posted Oct 17, 2011 21:50 UTC (Mon) by raven667 (subscriber, #5198) [Link]

Maybe not a panacea but a far more understandable and tractable problem.

The alternative is storing everything in the clear and then making bad assumptions about how the underlying technology works so that you can try and fail to wipe the data when required because you don't really control or understand the underlying storage.

What about shred(1)?

Posted Oct 13, 2011 18:09 UTC (Thu) by arjan (subscriber, #36785) [Link]

I for one would not be surprised if magnetic disks start to do much more aggressive remapping for the non-bad-sector case to help performance(benchmarks) just in order to compete with SSD's...
so I'd be rather hesitant to declare this "SSD only".

And then there's caches on magnetic disks.. sometimes these are battery/capacitor backed... but they could be flash as well.

The paranoid better encrypt in the higher levels.

Securely deleting files from ext4 filesystems

Posted Oct 13, 2011 21:20 UTC (Thu) by sciurus (subscriber, #58832) [Link]

It'a also worth citing Craig Wright, Dave Kleiman and Shyaam Sundhar R.S.'s Overwriting Hard Drive Data: The Great Wiping Controversy

Securely deleting files from ext4 filesystems

Posted Oct 14, 2011 0:38 UTC (Fri) by njs (guest, #40338) [Link]

Non-paywalled version: http://www.vidarholen.net/~vidar/overwriting_hard_drive_d...

Securely deleting files from ext4 filesystems

Posted Oct 16, 2011 3:04 UTC (Sun) by giraffedata (subscriber, #1954) [Link]

I don't think I'd cite that paper. It is poorly written, from the disorganized presentation of thoughts to the poor grammar (I lost count of the sentences with no verb). That makes it hard to detect the theoretical basis for prior data not being recoverable.

Maybe that doesn't matter because the paper also reports empirical results, with numerical conclusions of the probability of recovering prior data that are insignificantly small. However, amazingly, the paper does not describe the method. I.e. it does not say how the investigators attempted to recover the data. (Maybe that is embedded in the ungrammatical and to me unintelligible sentence, "both drive skew and the bit was read.").

One thing the paper sort of hints at is the reason I believe the conclusion -- that you can't recover prior data from an overwritten disk -- is true. In the quest for greater density of current data, disk drive engineers have squeezed out whatever redundancy used to allow a drive to store both the current data and some of the prior data.