On Sat, Sep 22, 2012 at 09:05:27PM +0200, Claudio Moretti wrote: > > > > I meant if I am on full disk encryption if it's worth the extra CPU > > clocks to do a safe erase of certain files, given the data is already > > random looking from the outside. It wasn't about the whole drive. > > > > > The point is exactly that: your data looks random from the outside, but not > from the inside. If an attacker gets access to your running computer or > discovers your password, dm-crypt cannot protect you, because the attacker > has access to your unencrypted hard drive. Exactly. So if you erase a full disk/partition, my earlier comment applies. For erasing single file securely inside a LUKS or dm-crypt container, do overwrites. There is evidence that a single overwrite is enough for magnetic disks. For journalling filesystems (ext3/4, e.g.), it may be necessary to still wipe the whole partition for HDDs and for SSDs, a full secure erase including physical destrucion afterwards may be the only way. My recomendation would be to do ext2 and use wipe with 4 random overwrites for HDDs and to not put anything secret on SSDs. If you are comfortable with ordinary, not secure, erase, just use that, but take into account that once your key is compromised, your erased data may be compromised. Incidentally, I believe all this can be found in the FAQ. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
