Securely delete files...

Robert J. Hansen rjh at sixdemonbag.org
Thu Aug 21 06:10:32 CEST 2008 

Kunal Shah wrote:
> I wouldn't argue about methods discussed here to destroy the disk.
> However one consideration is, what data we are talking about. In my
> CISSP course, I was not taught to *destroy* data or protect it. I was
> just taught to make it so difficult for hacker to access it so that
> compare to the amount of time spent on recovery and resource it is
> worthless.

Sure you were.  You were taught -- or should have been taught -- to
discover the facts, and to develop your security implementation in light
of both your policy and the facts.

Fact: there is no effective and reliable way to nondestructively scrub
data from a modern PRML/EPRML hard drive.  (If you could definitely say
"yes, I'm writing data to this particular spot on the hard drive", then
you probably could; but that's kind of a fantasy.)

Imagine you have a one sentence security policy: "hard drives must not
leave traces of old files visible to forensic examiners."

Imagine you have a one sentence security implementation: "hard drives
will scrubbed every week."

Well -- crap.  You just discovered that your implementation is bogus,
because it's at odds with the facts.  You have to head this off at the
pass.  How do you do it?  One option is to use full volume encryption.
Okay, fine: your implementation, version 2.0, is "hard drives will use
full volume encryption."

Now you have to figure out how the policy changeover will work... which
is to say, how to move from version 1.0 to version 2.0 in a way that
will still uphold your security policy.

You copy all the information from the old drives to the new drives.
Congratulations: the new drives never need to be scrubbed.  The old
drives, however... you know people can make forensic recovery from them,
because you know they can't be scrubbed.

So after making sure that you have a correct copy of the data from the
old drives, you thermite them, you shred the disk platters, you etch the
platter surfaces with sulfuric acid... whatever.  You utterly destroy
them, putting the drive permanently beyond use.

I can only speak for myself here, but I strongly suspect Werner, David,
Mark and everyone else who's been chiming in will agree -- we are not
talking about total destruction of hard drives as something you should
want to do.

We're talking about total destruction of hard drives as the _only
realistic way to scrub data._

If you need your data scrubbed, you're going to have to nuke your hard
drive.  It's that simple.  On your new hard drive, you should probably
use some technique to make sure you never need to scrub data -- not
unless you like thermiting hard drives.



ObWarning: many of the techniques we've discussed for destroying hard
drives are really quite dangerous.  Thermite is _not_ a friendly
chemical.  Neither is sulfuric acid.  Even an approach as low-tech as
hammering the platters into oblivion can be dangerous -- see Werner's
statement about all the shards that hit his safety glasses.  Before
destroying a hard drive, learn how to do it safely.

More information about the Gnupg-users mailing list