undefined | Better HN

0 pointsSyonyk4y ago0 comments

If your plaintext is that sensitive, it should never touch media in that form.

If the storage media (spinning rust, SSD, USB key, etc) is to see sensitive data, the device must be encrypted at the block level such that plaintext never touches it.

At that point, destroying it is a "nice to have," but not really required. Without the encryption key, it's just a source of pseudorandom data, and destroying a key securely is an awful lot more reliable than destroying a large amount of data.

However, if you have some media that you don't want recovered, what you do to it depends somewhat on the media.

If the drive is encrypted and spinning rust, I totally trust a dd of /dev/zero, followed by a hexdump of the device to verify that it's all zeros (hexdump, by default, won't show repeated lines, so if you see a line of 0s, a ** line, and then it finishes, the drive is zeroed).

For SSDs that either haven't contained sensitive data or have been encrypted, blkdiscard is fine, though enough devices don't implement it properly that you must hexdump it after, and if that shows anything, give 'er a couple passes of /dev/zero with a blkdiscard after. And then let it sit, powered on, for a couple hours to finish processing whatever it has queued.

If a drive has sensitive plaintext on it, you should zero it a few times, then, how's your industrial grinder look?

For spinning rust, to actually remove any residual data, you'll want to bring the platters above the Curie temperature that will scramble magnetic domains. "Glowing red from a propane torch" should do this, though thermite may be a bit more fun.

Putting bullets through them will satisfy the requirement for preventing casual recovery, but any residual data is still there if you wanted to get really fancy, even with a bullet hole or few in the drive.

For SSDs, I would generally take a good torch to the drive, get it "as glowing as possible," then sledegehammer it. There shouldn't be much left beyond powder after that, and at that point, the data is well and truly gone. If you want to be sure, a good "Will it Blend?" test of the remains should cover your edge cases, though I wouldn't use a blender you ever intend to use on food...

But, really, if you're at all concerned about this realm of data destruction, you must be using block device encryption.

0 comments

sandworm1014y ago

>> If your plaintext is that sensitive, it should never touch media in that form.

I don't disagree, but I am not god emperor yet. There are plenty of occasions when very sensitive information is stored as plaintext with no practicable encryption options. For instance, good luck finding a reasonably priced camera that encrypts data when it saves it to a card. Say that camera was used to gather evidence of crimes, perhaps by photographing victims in hospital. Plaintext. Very sensitive data. On a USB-readable consumer-grade device. I once had a client with a desk drawer full of old cards from such a camera.

In such situations, ironically, a cellphone might be a more secure option. Although using a phone introduces lots of other problems, at least the images can be saved encrypted immediately upon creation.

j / k navigate · click thread line to collapse