On 07/23/2018 07:06 AM, Richard Weinberger wrote: > On Fri, Jul 20, 2018 at 1:50 AM, Theuns Verwoerd > <theuns.verwo...@alliedtelesis.co.nz> wrote: >> Security certifications such as FIPS require the capability to securely >> delete files, which is problematic under JFFS2's log-based model. We can > Can you please be a little more specific about the certifications? https://www.niap-ccevs.org/Documents_and_Guidance/view_td.cfm?td_id=133
gives some level of context. I believe both FIPS and CC have similar expectations around key deletion. > These days secure deletion at file system level is almost impossible to > achieve > since you don't have full control of the storage stack. > I know, I know, In the raw flash case we have, but still. It makes > things very complicated. > > A common approach do delete a file in a secure way is having it > encrypted and upon deletion > you forget the key. > Wouldn't that work for you too? To retain granularity for managing individual keys, you'd require a 1:1 key-to-access-key (ktak). Because keys are expected to be persistent, so must the ktak be - at which point we've replaced the requirement for securely deleting a key with one to securely delete a ktak. (In addition, since this approach falls outside the specific language used in the certification guidance documents, it'd need to be justified in detail, which adds risk.) Regards, Theuns KRN
