ERASER: Your Data Won’t Be Back Kaan Onarlioglu William Robertson Engin Kirda Akamai Technologies Northeastern University Northeastern University Cambridge, MA Boston, MA Boston, MA www.onarlioglu.com [email protected] [email protected] Abstract—Secure deletion of data from non-volatile storage implement wear leveling and minimize the effects of write is a well-recognized problem. While numerous solutions have amplification. As a result, many secure deletion methods been proposed, advances in storage technologies have stymied that base their security on behavioral assumptions regard- efforts to solve the problem. For instance, SSDs make use of ing older mechanical disk drives are rendered ineffective, techniques such as wear leveling that involve replication of because tracking and removing sensitive data in modern data; this is in direct opposition to efforts to securely delete settings is often infeasible, and sometimes impossible. sensitive data from storage. In the face of these emerging challenges, recent re- We present a technique to provide secure deletion guar- search has adapted secure deletion technologies to new antees at file granularity, independent of the characteristics of applications. For example, Reardon et al. [26] present an the underlying storage medium. The approach builds on prior encrypting file system that guarantees secure erasure on seminal work on cryptographic erasure, encrypting every file raw flash memory used in smartphones. However, secure on an insecure medium with a unique key that can later be deletion remains a challenge on blackbox devices such as discarded to cryptographically render the data irrecoverable. the aforementioned SSDs, which only allow access to their To make the approach scalable and, therefore, usable on storage through opaque hardware controllers that translate commodity systems, keys are organized in an efficient tree I/O blocks in an unpredictable manner. structure where a single master key is confined to a secure In this work, we present a technique that provides se- cure deletion guarantees at file granularity, independent of store. the characteristics of the underlying storage medium. Our We describe an implementation of this scheme as a file- approach is based on the general observations in previous aware stackable block device, deployed as a standalone Linux work that secure deletion cannot be guaranteed on a black- kernel module that does not require modifications to the box storage medium with unknown behavior. Therefore, we operating system. Our prototype demonstrates that secure instead bootstrap secure deletion using a minimal master key deletion independent of the underlying storage medium can vault under the user’s control, such as a Trusted Platform be achieved with comparable overhead to existing full disk Module chip or a smartcard. encryption implementations. Our approach is an evolution of the cryptographic era- sure technique proposed by Boneh and Lipton [8]. At a high 1. Introduction level, we encrypt every file on an insecure medium with a unique key, which can later be discarded to cryptographi- Secure deletion of data from non-volatile storage is a cally render a file’s data irrecoverable. Note that while these heavily-studied problem. Researchers and developers have keys would need to be persisted to keep the files accessible proposed a plethora of techniques for securely erasing data in the future, they cannot be stored on the same medium from physical media, often employing methods such as together with the files since that would then prevent us from overwriting files containing sensitive data in-place, encrypt- securely deleting the keys. ing data with temporary keys that are later discarded, or To address this problem, we compress the keys into a hardware features that scrub storage blocks. We refer readers single master key that is never persisted to insecure storage, to prior work [25] for an in-depth discussion of previous but instead is evicted to the master key vault. To this end, literature on this topic. we utilize a key store organized as an n-ary tree (i.e., a Despite these extensive efforts, advances in storage tech- tree where each node has up to n children), where every nologies and characteristics of modern hardware still pose node represents a unique encryption key. We term this key significant difficulties to achieving irreversible data deletion. store a file key tree (FKT). Keys corresponding to leaf For instance, Solid State Drives (SSDs) often utilize hard- nodes each encrypt a single file stored on the blackbox ware controllers inaccessible to the outside world. These medium, and in turn parent nodes encrypt their children controllers can redirect I/O operations performed on log- nodes. This tree hierarchy compresses the master secret to a ical device blocks to arbitrary memory cells in order to single encryption key, the root node, which is never persisted to the blackbox storage but is instead easily evicted to the most direct interpretation, secure deletion can be performed master key vault. In contrast, the rest of the tree nodes (i.e., through destruction of the physical medium through various encrypted keys) are stored together with the files on the means. Scenarios where these methods apply are out of insecure device. scope for this paper. In this model, securely deleting a file from an FKT of Secure deletion can also be performed at the hardware capacity jF j involves decrypting n logn jF j nodes, regener- controller. For magnetic media, SCSI and ATA controllers ating logn jF j keys, and re-encrypting the n logn jF j nodes provide a Secure Erase command that overwrites every phys- with the new keys. During this process, the master key is ical block. Some SSDs also provide such a command. How- also securely wiped from the vault and replaced with a fresh ever, this is a coarse-grained approach to secure deletion that one. In this way, the previous path leading to the deleted file is difficult to improve upon since, without knowledge of the will be rendered irrecoverable. file system, controllers cannot easily distinguish data to be We implemented this technique as a file-aware stackable preserved from data to be deleted. Furthermore, prior work block device, which is deployed as a stand-alone Linux has shown that hardware-level secure deletion is not always kernel module that does not require any modification to implemented correctly [31]. the operating system architecture. As the name implies, File System-based Solutions. The next layer of abstrac- our implementation exposes a virtual block device on top tion is at the file system. Here, secure deletion approaches of an existing physical device installed on the computer. can take advantage of file system semantics, but are poten- Users can format this drive with any file system and interact tially restricted by the device driver interface. with it as they would normally do with a physical disk. One class of techniques is aimed at devices for which Our block level implementation is able to capture higher- the operating system can reliably perform in-place updates level file system information to identify file blocks, while (e.g., magnetic disks). Many specific techniques have been providing I/O performance significantly better than a file proposed, including queuing freed blocks for explicit over- system-level solution. write [7], [18], [19] as well as intercepting unlink and The contributions of this paper are as follows. truncation events for user space scrubbing [19]. • We present a secure deletion technique called ERASER Other techniques are intended for devices such as raw that builds on the cryptographic erasure primitive. In flash memory, where there is asymmetry between the mini- contrast to previous work, ERASER guarantees per- mum sizes of read or write and erase operations (described formant irrecoverability of deleted files on blackbox below). A notable example is DNEFS [26], which modifies storage media with unknown characteristics, such as the file system to encrypt each data block with a unique modern SSDs equipped with opaque hardware con- key and co-locates keys in a dedicated storage area. Secure trollers. We achieve this property by bootstrapping deletion is implemented by erasing the current key storage cryptographic erasure from a cheap, commodity exter- area and replacing it with a new version. During this replace- nal key vault such as a Trusted Platform Module chip ment, keys corresponding to deleted data are not included or smartcard. in the new version. • We discuss the design choices involved in realizing our However, a fundamental underlying assumption of these approach in practice, and present a prototype imple- approaches – that the operating system can directly read mentation of ERASER as a file-aware stackable block or write physical blocks as in the case of magnetic hard device for Linux. drives or raw flash memory – is not valid for modern storage • We demonstrate that ERASER can provide full disk devices such as SSDs as we describe below. encryption on top of secure file deletion, and exhibits User-level Tools. User space is the highest layer of comparable performance to dm-crypt, the standard abstraction from which secure deletion can be attempted. Linux disk encryption solution. These approaches are restricted to the file system API exposed by the operating system to accomplish their task. Availability. Source code of ERASER is licensed under GPLv2 and GPLv3, and is publicly available on the primary One example of such an approach is Secure Erase [16], an author’s website. application that simply invokes the Secure Erase command on a storage controller. However, as discussed above, this is not a reliable secure deletion mechanism. 2. Background & Related Work User-level tools can also attempt to explicitly overwrite data to be securely deleted [12], a popular approach first pro- 2.1. Related Work posed by Gutmann [15]. However, these approaches assume that overwriting a block using the interface provided by Secure deletion approaches have been investigated at the operating system guarantees that all copies of that data several different layers of abstraction.