7

I have an encrypted partition that I mount with cryptsetup at every boot.

Does secure delete (e.g. with srm) a file into this partition make sense?

I know that from an external point of view an encrypted partition is just casual bits.

But if one day I left the encrypted partition mounted on my system is it possible that an "attacker" use a forensic tool to recover files?

Pierre.Vriens
  • 1,088
sivlab
  • 145

2 Answers2

8

cryptsetup provides "at rest" data security. If the drive is stolen when the machine is off (or, at least, the drive not unlocked) then it's safe.

It does not protect you if someone obtains access to the machine while the drive is unlocked. They can read all your files. And if they obtain root, image the unencrypted drive, run undelete programs, and possibly even steal the master encryption key.

So, yes, secure delete has a purpose even on encrypted drives.

derobert
  • 109,670
  • Thanks you. So perhaps is useful to periodically run tool like "sfill" ? – sivlab May 01 '15 at 19:43
  • The multi-pass mode probably isn't needed (and is very time-consuming). That's probably true even w/o encryption. But yes, zero'ing free disk space is a useful step, if you're worried about (e.g.,) someone stealing the machine while it's on. Or someone compromising it. – derobert May 01 '15 at 19:48
  • if you don't have encrypted the whole system it will be pretty useless because an attacker can recover some files from SWAP or even without forensic tools from /tmp! – DJCrashdummy May 02 '15 at 20:51
1

on a SSD (or other flash based media) every kind of "secure deleting" may be useless! - the worst case would be: you are erasing nearly nothing and just killing your device much quicker than necessary! ...this depends on the controller of the device!

in this case the only really secure way would be:

  • if the sensitive data was already stored on this device, erase the complete media! maybe with a special firmware/command for your device! - maybe trying some different ways also won't be a bad idea...!
  • and now setup your machine and encrypt the whole device (except /boot - it has to be unencrypted), also the SWAP with LUKS (cryptsetup)!!!
  • use a really strong password (>= 20 characters)!
  • and lock your system every time you leave your machine!
DJCrashdummy
  • 517
  • Thank you for the reply. Yeah I know that on a SSD the only safe method is use a firmware command. But at this time I have a magnetic HDD so it's ok to wipe with srm/shred... Ad you advice I'll try to encrypt the whole device (now is encrypted only the partition where I store files). But as @derobert point out even if everything is encrypted and accidentally I forgot to lock my system someone can retrieve deleted files if I don't wipe them with safe tools. – sivlab May 02 '15 at 11:11
  • well... in real world most time the weakest point is the human! if you leave your key in the locked door or even forgot to lock the door every thoughts about security are useless! -- one example: if you copied the "sensitive files" once on a usb-stick you don't need to worry so much about the SWAP! - but at this one point: if you encrypt your data anyway you can also encrypt the whole system! – DJCrashdummy May 02 '15 at 13:19
  • With the example of the usb-stick you get the point. Sometimes while I'm managing files I accidentally put them on the partition that isn't encrypted and then on the encrypted partition. I have to encrypt the whole system very soon. – sivlab May 02 '15 at 17:07