Eraser: Your Data Won't Be Back

A short introduction for those who haven't read the full paper.

Storage media with opaque on-board controllers make it a challenging task to provide strong, file-level secure deletion guarantees on modern computers. For instance, SSDs often utilize hardware controllers that manipulate I/O operations performed on logical device blocks in order to implement wear leveling and minimize the effects of write amplification. As a result, secure deletion methods that base their security on behavioral assumptions regarding older mechanical disk drives are rendered ineffective.

We present Eraser, a technique to provide secure deletion guarantees at file granularity, independent of the characteristics of the underlying storage medium. The approach builds on prior seminal work on cryptographic erasure, encrypting every file on an insecure medium with a unique key that can later be discarded to cryptographically render the data irrecoverable. To make the approach scalable and, therefore, usable on commodity systems, keys are organized in an efficient tree structure where a single master key is confined to a secure store.

Eraser is implemented in a Linux kernel module as a device-mapper target, and can be deployed on a standard computer with a TPM chip. Eraser volumes are exposed to the user as ordinary block device nodes. A userland tool is also provided for easy management of Eraser volumes.

For a more in-depth explanation of Eraser's capabilities, please refer to the full study available here.

Downloads

Eraser kernel module for Linux kernel version 4.7. (ver.2018.02.11)

Eraser userland tool to manage Eraser volumes. (ver.2018.02.11)

Please see the included README file for detailed information on setup and usage. As its name implies, Eraser gives you many opportunities to irreversibly destroy your data, so please make sure you understand how the tool works before you start using it.

Usage

(1) To create a new Eraser instance on a block device:

           eraser create <block-device> <tpm-nvram-index>
   e.g.    eraser create /dev/sdb1 5

This operation will destroy all data on the device.

(2) To open an Eraser instance created on a block device:

           eraser open <block-device> <eraser-name>
   e.g.    eraser open /dev/sdb1 my-eraser-dev

The open command by default maps the virtual device to "/dev/mapper/eraser". You can specify a different name using the [--mapped-dev] option.

The mapped device can then be formatted with a filesystem and used just like any other block device.

(3) To close an open Eraser instance:

           eraser close <eraser-name>
   e.g.    eraser close my-eraser-dev

(4) To list open Eraser instances:

           eraser list

(5) See "eraser --help" for a summary of available options.

Troubleshooting

(1) Please make sure you compile and run Eraser with the correct Linux kernel version. We developed Eraser using version 4.7. Eraser is known NOT to compile/work with earlier kernel releases.

(2) You need reasonably recent versions of libdevmapper and GCC to compile the Eraser userland tool. If you are using a distro that splits software into separate development packages (e.g., Debian, Ubuntu) remember to install the libdevmapper headers as well (e.g., often found in the package device-mapper-dev).

(3) Userland tools also require the corresponding OpenSSL and TrouSerS libraries to compile and function correctly.

(4) "make notpm" will compile the userland tools to work without a TPM. Instead a file under "/tmp/tpm_test" will be used to simulate the NVRAM.

(5) Eraser kernel module is known not to compile in certain virtual machine environments, due to virtualization limitations.

(6) Eraser volumes created on USB flash drives connected to virtual machines may behave abnormally (e.g., Eraser may refuse to open/close volumes).

Known Issues

Please contact me if you discover other problems.

(1) Changes made to the kernel between the time of development and publication of this work required certain changes to the code. In particular, I have removed certain behavior around key rotations & caching until I re-implement and test them properly. Do not be surprised if the implementation description in the paper does not match the code 100%.

Change Log

ver.2018.02.11 First release.

Credits

This software is based on the following research work carried out at Northeastern University and NEU SecLab.

Eraser: Your Data Won't Be Back
Kaan Onarlioglu, William Robertson, Engin Kirda
IEEE European Symposium on Security and Privacy (EuroS&P)
London, GB, April 2018

Authors' version of the full paper is available here. If you would like to acknowledge our research or software in your works, please use the following citation information.

@inproceedings{eurosp2018eraser,
    author = {Kaan Onarlioglu and William Robertson and Engin Kirda},
    title = {{Eraser: Your Data Won't Be Back}},
    booktitle = {IEEE European Symposium on Security and Privacy (EuroS\&P)},
    month = apr,
    year = {2018},
}

Eraser kernel module is free software licensed under GPLv2. © 2018 Kaan Onarlioglu

Eraser userland tool is free software licensed under GPLv3. © 2018 Kaan Onarlioglu