Secure Erasing is actually harder than that...

[Ray Dillinger]

On Thu, 22 Feb 2001, Sampo Syreeni wrote:

>On Tue, 20 Feb 2001, Ray Dillinger wrote:
>
>>We need editors that don't put cleartext on the disk when you
>>hit the "save" command.
>
>Why not simply use encrypted hard drives? Make the driver forget key
>material in a fixed period of keyboard inactivity? This would be a helluva
>lot easier than making secure versions of every existing application out
>there...

The problem with an encrypted drive is that the applications that 
are able to write it have got to do key management, and all of 
those existing applications were written with the assumption that 
they didn't have to do key management.

There are various workarounds, but that's what they are - workarounds. 
If your application can read and write an encrypted drive without 
specifically providing the keys, then a trojan on your system can 
read and write an encrypted drive without specifically providing 
the keys. 

These workarounds can only work by "hiding" key management from 
the application, and thus from the user - which means key 
management gets done badly if at all.  Good crypto can't be 
tacked on - it has to be designed in.

Another problem with an encrypted drive is that an encrypted drive is 
infrastructure that someone is likely to not have in place when they 
first discover a real need to encrypt.  

Don't get me wrong -- I believe in encrypted drives.  They provide 
a "mix" so you can't tell which bit was written by what application, 
and that's a valuable service.  But there are limits to what they 
can do or should be relied on to do.  Applications that write to 
(and more importantly, which read from) the encrypted drive should 
themselves be crypto-aware and do proper key management. 

			Bear