Abstract
Securely deleting data from storage systems has become difficult today. Most storage space is provided as a virtual resource and traverses many layers between the user and the actual physical storage medium. Operations to properly erase data and wipe out all its traces are typically not foreseen, particularly not in networked and cloud-storage systems. This paper introduces a general cryptographic model for policy-based secure deletion of data in storage systems, whose security relies on the proper erasure of cryptographic keys. Deletion operations are expressed in terms of a policy that describes data destruction through deletion attributes and protection classes. The policy links attributes as specified in deletion operations to the protection class(es) that must be erased accordingly. A cryptographic construction is presented for deletion policies given by directed acyclic graphs; it is built in a modular way from exploiting that secure deletion schemes may be composed with each other. The model and the construction unify and generalize all previous encryption-based techniques for secure deletion. Finally, the paper describes a prototype implementation of a Linux filesystem with policy-based secure deletion. © 2013 ACM.