gbde blackening feature - how can on disk keys be "destroyed" thoroughly?

David Kreil kreil at
Sat Sep 4 16:33:04 PDT 2004

Dear Poul-Henning,

Thank you very much for your comments!

> >From what I can see so far, they are simply overwritten with zeros - is
> >that 
> >right? If so, the blackening feature would be much weakend, as one can read 
> >up to 20 layers of data even under random data (and more under zeros).
> >I would 
> >be most grateful for comments, or suggestions of where/how one could extend 
> >the code to do a secure wipe of the key areas. Also, I know practically
> >nothing 
> >of how I could to best get FreeBSD to physically write to disk 
> >(configurability of hardware cache etc permitting).
> On a modern disk there is no sequence of writes that will guarantee
> you that your data is iretriveable lost.
> Even if you rewrite a thousand times, you cannot guard yourself against
> the sector being replaced by a bad block spare after the first write.

Good point. In the rare chance event that this happens, it would indeed be bad 
news as an attacker would then only have to scan the bad blocks for possible 
copies of the key.

> If your threat-analysis indicates this is a serious threat for you,
> you should arrange for simple physical destruction of your disk to
> be available.
> Most modern disks have one or more holes in the metal only covered
> by a metalic sticker.  Pouring sulfuric acid through those openings
> is a good start.

Hmm... to me, the main benefit of the blackening feature would seem to be the possibility of compliance with a court directive without disclosing confidential data. With multiple key holders, any particular person can maintain that they have done all they could to comply. Not only is the optics of having your disks are found in vats of sulfuric acid rather bad, it's also more unlikely that "a moment of opportunity" arises.

A simple improvement on the present situation would already be if the keys were not overwritten with zeros but with random bits. I don't know how difficult it would be to attempt to physically write random bits multiple times but it would much strengthen the feature apart from the rare cases when the sectors of the masterkey have been remapped into bad blocks.

As rightly pointed out in the manpages, the better the encryption gets, the more likely are attacks via other routes. Reading a few layers of the current masterkey location + all bad blocks with an MFM should cost no more than a few thousand $.

What do you think? Is the required effort disproportional to the intended value of the blackening feature?

With many thanks again for your help

and best regards,


Dr David Philip Kreil                 ("`-''-/").___..--''"`-._
Research Fellow                        `6_ 6  )   `-.  (     ).`-.__.`)
University of Cambridge                (_Y_.)'  ._   )  `._ `. ``-..-'
++44 1223 764107, fax 333992         _..`--'_..-_/  /--'_.' ,'   (il),-''  (li),'  ((!.-'

More information about the freebsd-fs mailing list