secrets lying around on the HD

Adrian 'Dagurashibanipal' von Bidder avbidder at fortytwo.ch
Tue Apr 13 14:34:59 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tuesday 13 April 2004 12.57, Per Tunedal Casual wrote:

> BTW I tested the encryption in WindowsXP Pro, downloaded a "recovery
> tool" and could "recover" the encrypted files in 0,3 seconds when
> logged in as a different user. How? Are the keys left unencrypted on
> the HD?

You will almost always have unencrypted copies unencrypted file contents 
lying around after encryption and deleting the unencrypted file: it is 
almost impossible to force the file system to really overwrite blocks 
of a file - writing to an existing file is allowed to allocate new 
blocks on the filesystem instead of overwriting the currently allocated 
blocks.

To ensure that unencrypted file contents is really overwwritten, you'll 
have to read the filesystem code to understand how block allocation 
works (so you may come to the conclusion that a certain way of 
overwriting a file will never allocate new blocks), or you'll have to 
write a filesystem yourself, offering control about overwriting blocks 
to the application. (I *think* that there was some version of the Linux 
file system ext2 offering the option of overwriting deallocated blocks 
automatically. Or perhaps this was just a rumour - not sure at all.)

The next step is paging: either disable paging entirely, or use an 
encrypted swap file/swap partition (with quite high performance cost, 
of course.) Or, as a compromise, code something up to automatically 
overwrite the swap partition on system shutdown (users of swap files 
run into the same problems as above.)

The next thing to worry about will then be block re-allocation within 
the disc: all modern discs may reallocate disc blocks internally on 
some errors - and some tools might get data from there. (Once you are 
at this level of paranoia, you've probably got the budget to run all 
your systems from solid state disks - yank the battery out and nobody 
will ever recover anything.)

greetings
- -- vbi

- -- 
You are what you see.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: get my key from http://fortytwo.ch/gpg/92082481

iKcEARECAGcFAkB73nNgGmh0dHA6Ly9mb3J0eXR3by5jaC9sZWdhbC9ncGcvZW1h
aWwuMjAwMjA4MjI/dmVyc2lvbj0xLjUmbWQ1c3VtPTVkZmY4NjhkMTE4NDMyNzYw
NzFiMjVlYjcwMDZkYTNlAAoJECqqZti935l6ooAAnAgiu3Rmcua+gE18EPs4RKqo
tAuqAJ9iR7VqxYpG6vc87VY2GUsuQC4mQA==
=3gOi
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list