Assured deletion of a file guarantees that the data contained within the file is unrecoverable. The techniques used to preserve a file until it is no longer needed, such as the creation of backup copies of a file and the storage of those backup copies in multiple locations, makes assured deletion a complicated task. An alternative to having multiple backup copies of a file and then having to delete each backup copy of a file in all its varied storage locations is to encrypt the contents of the file with a key. As long as the key remains secret, the contents of the file remain secret, and the destruction of the key guarantees that the contents of the file cannot be recovered when the file is to undergo assured deletion.
However, the advantage granted by use of an encryption key also raises issues about access to the file. If the key is lost prematurely, while the data in the file is still useful and/or needed, and no backup copies of the key exist, then the data is lost. The obvious solution to this problem, creating backup copies of the key, results in the same issues that using an encryption key is supposed to avoid—namely, in order to have assured deletion of the file, the key and all of its backup copies stored in various locations must be destroyed.
One alternative to this is to use a device called an ephemerizer with public keys with expiration dates, and the ephemerizer deletes the private key at the expiration time. The file system may assure non-recoverability of files after their expiration date by encrypting files with an ephemerizer public key with the desired expiration date. Alternatively, the file system may encrypt files that all should expire at the same time with the same secret key, and store a backup of that secret key with an ephemerizer public key with that expiration date. To achieve the desired result despite ephemerizer failures, or ephemerizers that do not delete keys, files or keys may be encrypted with multiple ephemerizer public keys, such that they can be recovered with a quorum of ephemerizers.
On demand delete is a process in which the file system keeps a database of keys for all its files. An ephemerizer is utilized in order to allow backups of the key database while still allowing assured delete. The ephemerizer, or a quorum of ephemerizers, keeps at least two public keys at all times, the current public key, and the previous public key. The file system encrypts snapshots of the key database with the current public key. Periodically the ephemerizer(s) are told to destroy the previous public key, and generate a new key. The file system starts encrypting backups of the key database with the current public key, and backups encrypted with the old previous public key become unrecoverable. Typically, there is some method to ensure that only the authorized owner of the file system may recover the data in case of data loss. This may be done with an extra level of encryption of the backup of the key database using a system administrator secret, or the ephemerizer(s) may have some means of authenticating the file system when asked to decrypt, such as being installed with a cryptographic key with which to authenticate decryption requests.
A key manager maintains two copies of an ephemerizer's public key, the current public key and the previous public key. The previous public key was used to encrypt a previous version of the key table(K), which itself was used to encrypted a previous version of the key table of the file system. The current public key is as above. When the previous version of the key table of the file system is no longer needed, the previous public key of the ephemerizer(s) may be thrown away. The current public key then becomes the previous public key, and a new public key is created and the encryption process is followed as described above.
This process is described in greater detail in co-pending U.S. patent application Ser. No. 11/214,958, filed on Aug. 29, 2005, now U.S. Pat. No. 7,596,696, issued Sep. 29, 2009, entitled EFFICIENTLY MANAGING KEYS TO MAKE DATA PERMANENTLY UNREADABLE, the entire contents of which are hereby incorporated by reference.