LWN.net News from the source
| LWN.net needs you! Without subscribers, LWN would simply not exist. Please consider signing up for a subscription and helping to keep LWN publishing |
Deleting a file is sufficient to make it go away as far as the directory structure is concerned; that important, not-backed-up document is gone before the careless user has even removed a repentant finger from the "enter" key. On the underlying storage device, though, parts or all of the doomed file can live on indefinitely. A suitably determined person can often recover data from a file that was thought to be deleted and gone. In some situations, this persistence of data can be most unwelcome. Paper shredders exist for situations where recovery of a "deleted" paper document is undesirable; there is clear value in a similar functionality for filesystem-based files.
A look at the chattr man page indicates that "secure delete" functionality can be enabled for a file by setting the right attribute flag. The only problem is that most filesystems do not actually honor that flag; it's a sort of empty security theater. Even the TSA does a better job. The ext4 secure delete patch set from Allison Henderson may fill that particular gap for the ext4 filesystem, but a few things will need to be fixed up first.
The core part of the patch is relatively straightforward: if part or all of a file is being deleted, the relevant blocks will be overwritten synchronously as part of the operation. By default, the blocks are overwritten with zeroes, but there is an option to use random bytes from the kernel's entropy pool instead. A bit of care must be taken when the file involved contains holes - it wouldn't do to overwrite blocks that don't exist. There is also some logic to take advantage of the "secure discard" feature supported by some devices (solid-state disks, primarily) if that feature is available. Secure discard handles the deletion internally to the device - perhaps just by marking the relevant blocks unreadable until something else overwrites them - eliminating the need to perform extra I/O from the kernel.
The job does not stop there, though. The very existence of the file - or information contained in its name - could be sensitive as well. So the secure delete code must also clear out the directory entry associated with the file (if it is being deleted, as opposed to just truncated, obviously). Associated metadata - extended attributes, access control lists, etc - must also be cleaned out in this way.
Then there is the little issue of the journal. At any given time, the journal could contain any number of blocks from the deleted file, possibly in several versions. Clearly, sanitizing the journal is also required, but it must be done carefully: clearing journal blocks before the associated transaction has been committed could result in a corrupted filesystem and/or the inability to recover properly from a crash. So the first thing that must happen is a synchronous journal flush.
Once any outstanding transactions have been cleared, the (now old and unneeded) data in the journal can be cleaned up. The only problem is that the journal does not maintain any association between its internal blocks and the files they belong to in the filesystem. The patch addresses that problem by adding a new data structure mapping between journal blocks and file blocks; the secure deletion code then traverses that structure in search of blocks in need of overwriting.
The journal cleanup code drew some complaints from developers; the first problem is that directory and metadata blocks are not cleared from the journal. The deeper complaint, though, was that it represented an excessive mixing of the two layers; the filesystem really should not have an overly deep understanding of how the journal works. The end result is that some of this cleanup work is likely to move into the jbd2 journaling layer; as an added benefit, other filesystems should then be able to take advantage of it as well.
Darrick Wong also pointed out that this block mapping is not, itself, written to the journal; if the system were to crash before the journal could be cleaned, that cleanup would not happen after a reboot. He suggested that filesystems should mark blocks in need of secure deletion when they are first added to a journal transaction; the journal code could take care of things from then on. It seems like a cleaner solution, but there is, naturally, a catch.
That catch is that there is no way to create a file with the "secure delete" attribute set; that attribute must be added after the fact. One would assume that users would ask for secure delete before actually writing any data to the file, but associated information (the file name, for example) must exist before the file can be so marked. So the journal may well contain blocks for "secure delete" files that will not be marked for overwriting. There is no way to fix that within the existing POSIX API.
Darrick suggested a few ways to deal with this problem. One is to just give up and tell developers that, if even the name of the file is important, they should create that file under a temporary name, set the "secure delete" attribute, then rename the file to its real name. An alternative would be to mark the blocks for all newly-created files as needing overwriting; that would eliminate the race to get the attribute set at the cost of slowing down all file creation operations. Or, he said, the journal could track the mapping between blocks and files, much as Allison's patch does. One other option would be to mark the entire filesystem as needing secure delete; that feature, evidently, is already in the works, but enabling it will have an obvious performance cost.
The end result is that there are a few details to be worked out yet. The feature seems useful, though, for users who are concerned about data from their files hanging around after the files themselves have been deleted. Perhaps, around the 3.3 kernel or thereafter, "chattr +s" on ext4 will be more than bad security theater.
Securely deleting files from ext4 filesystems
Posted Oct 13, 2011 2:45 UTC (Thu) by lemmings (guest, #53618) [Link]
It would be much better for distributions to "standardise" on an easy to use encrypted store for applications.
Something like a more generic version of AegisFS which Nokia made for the N9/N950 could be ideal:
http://harmattan-dev.nokia.com/docs/library/html/guide/ht...
Securely deleting files from ext4 filesystems
Posted Oct 13, 2011 4:08 UTC (Thu) by idupree (guest, #71169) [Link]
This deletion feature already goes beyond what you get from using either of two popular Linux crypto filesystems:
If you use LUKS/dm-crypt and you "rm" a file. If you securely delete it then no one can ever read it (except by physical surgery on the hard drive or other copies of the data). If you plainly delete it, the data persists, and if someone breaks your encryption* then they might still be able to read it. (*via live system compromise, or someone guessing your encryption password, or your mind having a fit of remorse (or coercion) and wanting to read the data even though your company or past self wanted it deleted, etc.)
If you use eCryptfs, it currently doesn't even attempt to hide the filenames. ( http://ecryptfs.sourceforge.net/ecryptfs-faq.html#filenam... ). This article's secure delete does attempt to delete the filenames. I don't see anything about secure deletion in this eCryptfs FAQ either, so relying on eCryptfs may also have the same risks I described under LUKS/dm-crypt.
Even a single pass of overwriting with zeroes, even on a drive with sector remapping, would prevent casual electronic attacks: someone would have to physically obtain and open the drive to get the data out. (Or the drive could have firmware bugs. Alas. Is this common?) Neither layers that stack under the filesystem (dm-crypt) or over (eCryptfs; maybe AegisFS) quite have the ability to make a file impossible for root-with-all-the-passwords to access again (well, dm-crypt can do it by removing the whole filesystem at once...).
Securely deleting files from ext4 filesystems
Posted Oct 13, 2011 4:29 UTC (Thu) by idupree (guest, #71169) [Link]
Securely deleting files from ext4 filesystems
Posted Oct 13, 2011 16:58 UTC (Thu) by bronson (subscriber, #4806) [Link]
Maybe the FAQ meant "shared encryption of filenames is a planned feature?"Filenames are definitely encrypted:
6iunrlZi-dPSMlPILVYHNzf6 hmHIsA,bJvYNyeZHLfsymDqJ w-n3rfYuKwJ-tzutdvQFHptg aMZxjk4YBpJ9RduR24WILNZL JwXaP3iCGg6qnvRy,tACFneM wyLevtLXq4lPaJ6lQY42TO2b atquOpNlClvXb-ebMwIN2Unq ObCNzE4DugID75tRzXh9nw-x XhpFHg8UPto8c8GbAitAgcnN dy3BqGdPF,IZxDIZY9Flvg96 WjwZb6kosJEaMepnDYuJKmat yYAxEsFk-33ftNf5c97exIwUFile sizes and directory structure, however, are not. They can still leak a fair amount of information. For me that's no big deal... I don't mind too much if someone figures out where I store my financial documents as long as they can't read the names and numbers.
Securely deleting files from ext4 filesystems
Posted Oct 13, 2011 5:02 UTC (Thu) by lemmings (guest, #53618) [Link]
http://meego.gitorious.org/meego-platform-security/aegis-...
ecryptfs could work great for applications with a little bit of magic to provide a C library which would mount a ecryptfs directory into the process's name space (using unshare(2)). Would need to figure out how to do key management though.. Not sure if there is a freedesktop.org standard yet..
Securely deleting files from ext4 filesystems
Posted Oct 13, 2011 7:09 UTC (Thu) by djwong (subscriber, #23506) [Link]
A better name would be "make this file difficult to recover or undelete at the /dev/sdX block device interface level" delete, but that's clunky. I suspect that this attribute is sort of an opposite to chattr +u, if you will.
What about shred(1)?
Posted Oct 13, 2011 3:57 UTC (Thu) by pr1268 (subscriber, #24648) [Link]
Does this mean that using shred -u on files on an Ext4 FS are in vain?
What about shred(1)?
Posted Oct 13, 2011 6:56 UTC (Thu) by djwong (subscriber, #23506) [Link]
What about shred(1)?
Posted Oct 13, 2011 7:34 UTC (Thu) by lemmings (guest, #53618) [Link]
With a magnetic hard disk, the writes from shred will overwrite the sectors which contain the data. There is a risk though of copies of the data being left on the platter in the event of bad sector remapping though.
With a SSD, the writes from shred will be to new flash segments. With flash memory, erases and writes are separate operations. A SSD keeps a number of pre-erased segments around which are used to hold new writes whilst the old segments are erased in the background.
At a higher level, depending on what applications manipulate the data, you may also have to watch out for deleted temporary copies of your file. A FS defiling tool (or at a minimum dd if=/dev/zero of=crud; shred -u crud) can help remove those traces.
What about shred(1)?
Posted Oct 13, 2011 8:57 UTC (Thu) by mjthayer (subscriber, #39183) [Link]
Even better if that is build deeper into the filesystem, especially so that it can use the build-in capabilities of SSD drives. Or then again, perhaps not - from the article, "Secure discard handles the deletion internally to the device - perhaps just by marking the relevant blocks unreadable until something else overwrites them - eliminating the need to perform extra I/O from the kernel." Doesn't sound quite as safe as immediately overwriting the space.
What about shred(1)?
Posted Oct 14, 2011 2:41 UTC (Fri) by zlynx (subscriber, #2285) [Link]
An SSD might not securely delete the contents when requested.On the other hand, it will almost certainly not delete the data if you attempt to delete by overwriting, because of wear leveling.
So going with secure delete/TRIM which will probably work, against overwriting which will probably not work, the choice is clear.
What about shred(1)?
Posted Oct 14, 2011 3:02 UTC (Fri) by raven667 (subscriber, #5198) [Link]
key management
Posted Oct 17, 2011 14:19 UTC (Mon) by jpnp (subscriber, #63341) [Link]
key management
Posted Oct 17, 2011 21:50 UTC (Mon) by raven667 (subscriber, #5198) [Link]
The alternative is storing everything in the clear and then making bad assumptions about how the underlying technology works so that you can try and fail to wipe the data when required because you don't really control or understand the underlying storage.
What about shred(1)?
Posted Oct 13, 2011 18:09 UTC (Thu) by arjan (subscriber, #36785) [Link]
And then there's caches on magnetic disks.. sometimes these are battery/capacitor backed... but they could be flash as well.
The paranoid better encrypt in the higher levels.
Securely deleting files from ext4 filesystems
Posted Oct 13, 2011 4:31 UTC (Thu) by josh (subscriber, #17465) [Link]
See, among other sources, http://web.archive.org/web/20090616233917/http://sansfore... and https://www.infosecisland.com/blogview/16130-The-Urban-Le... . I've also previously seen substantial prizes offered for the demonstrated ability to recover data from a drive overwritten once with zeroes, none of them ever awarded.
Securely deleting files from ext4 filesystems
Posted Oct 13, 2011 21:20 UTC (Thu) by sciurus (subscriber, #58832) [Link]
It'a also worth citing Craig Wright, Dave Kleiman and Shyaam Sundhar R.S.'s Overwriting Hard Drive Data: The Great Wiping Controversy
Securely deleting files from ext4 filesystems
Posted Oct 14, 2011 0:38 UTC (Fri) by njs (guest, #40338) [Link]
Securely deleting files from ext4 filesystems
Posted Oct 16, 2011 3:04 UTC (Sun) by giraffedata (subscriber, #1954) [Link]
I don't think I'd cite that paper. It is poorly written, from the disorganized presentation of thoughts to the poor grammar (I lost count of the sentences with no verb). That makes it hard to detect the theoretical basis for prior data not being recoverable.
Maybe that doesn't matter because the paper also reports empirical results, with numerical conclusions of the probability of recovering prior data that are insignificantly small. However, amazingly, the paper does not describe the method. I.e. it does not say how the investigators attempted to recover the data. (Maybe that is embedded in the ungrammatical and to me unintelligible sentence, "both drive skew and the bit was read.").
One thing the paper sort of hints at is the reason I believe the conclusion -- that you can't recover prior data from an overwritten disk -- is true. In the quest for greater density of current data, disk drive engineers have squeezed out whatever redundancy used to allow a drive to store both the current data and some of the prior data.
Securely deleting files from ext4 filesystems
Posted Oct 13, 2011 7:53 UTC (Thu) by lolando (subscriber, #7139) [Link]
Securely deleting files from ext4 filesystems
Posted Oct 13, 2011 12:14 UTC (Thu) by corbet (editor, #1) [Link]
Ext4 will normally overwrite blocks (btrfs, instead, is copy-on-write). The idea behind this patch set is that any blocks released from the file (as in the truncate case you mention) will be cleared/randomized by the filesystem code.
Securely deleting files from ext4 filesystems
Posted Oct 13, 2011 13:11 UTC (Thu) by abatters (✭ supporter ✭, #6932) [Link]
Securely deleting files from ext4 filesystems
Posted Oct 13, 2011 19:56 UTC (Thu) by NAR (subscriber, #1313) [Link]
Securely deleting files from ext4 filesystems
Posted Oct 20, 2011 6:34 UTC (Thu) by kevinm (guest, #69913) [Link]
The logical conclusion of this is that the "secure delete" setting of the file itself should not affect whether the filename is securely deleted; rather, it is the setting of the +S flag on the directory containing the name that should matter.
Attributes of the file refer to the contents of the file. Attributes of the directory refer to the contents of the directory (the filenames in that directory).
Copyright © 2011, Eklektix, Inc.
This article may be redistributed under the terms of the
Creative
Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds