Data Deletion


This project started in Spring 2010 and is now closed.


Prof. David Basin, Information Security Group, ETH
Prof. Srdjan Capkun, System Security Group, ETH
Joel Reardon, System Security and Information Security Group, ETH
Hubert Ritzdorf, System Security and Information Security Group, ETH


The data deletion project’s goal is to study secure deletion at a variety of layers, from secure deletion on personal devices to secure deletion on networked and distributed systems. Secure deletion refers to the process of erasing data from a storage medium such that the data is afterwards irrecoverable even when given full access to the storage medium. We study data deletion as a problem for personal users protecting their privacy and corporate actors adhering to regulations with regards to data access and storage.
Secure deletion is almost always ignored in file system design, largely for performance reasons. Typically, deletion is implemented as a rapid operation where a file is unlinked, meaning its metadata states that it is no longer present, while the file’s actual data remain in storage until overwritten by new data.

Device-level Secure Deletion
The first phase of this project is secure deletion at the device level. We will ensure that data deleted from portable devices, such as a mobile smart phone, is actually irrecoverable. Our research will focus on flash storage medium, as it is the standard memory type for portable storage devices.
Flash memory presents a unique secure deletion challenge among storage medium, as erasures happen at a much larger granularity than read and write operations, and in-place updates are not permitted. We look at flash memory when accessed through a flash translation layer and when using a flash file system that directly accesses the memory, and propose solutions for both environments.
Phase-change RAM is a new portable storage medium recently announced by IBM. It has different characteristics than flash memory, and will thus result in differing file system paradigms. We will learn what the relevant file systems are for this memory, and see how secure deletion can be added to these file systems. We will test the efficacy of secure deletion for these file systems when acting on this storage medium.

File-system-level Secure Deletion
The second phase of this project considers secure deletion at the file system level. We propose a change to the flash memory file system UBIFS and show how it promptly and securely erases any data on the device with minimal wear on the storage medium. We compare this approach with regards to the solutions we have previously developed for flash memory and quantify its improvements.

Magnetic tape is the venerable standard for long-term archival storage. It must be written end-to-end, and must be entirely rewritten in order to delete any data that it contained. Moreover, magnetic tapes are often stored in off-line storage vaults, so their contents cannot be easily accessed. We will study the state of the art in encryption and key management based scheme to ensure the secure deletion of off-line data. We will develop new schemes, and compare them with regards to resource cost, availability, and timeliness of deletion.

A distributed file system stores data across multiple repositories. The file system’s interface exposes only a single set of its stored files, however they may be stored with high redundancy in multiple locations. Backups of the data in full or in part may occur, and so data deletion must act on all copies of the data. We will study existing distributed file systems and consider how secure deletion can be added. We will integrate our key-storage solutions as a tool to ensure timely deletion in distributed settings. We will quantify the cost in terms of time and performance for using such techniques.

System-level Secure Deletion
Data deletion at the system level is the highest layer that we consider for this project. This will unify the previous research as components in a system designed to easily enable secure deletion in a highly-mobile cloud computing environment. We consider, as an example scenario, mobile users who wish to shred their electronic mails immediately after they are read. This data must be highly available prior to be being deleted, and promptly removed from all storage devices—locally on portable devices and remotely in cloud storage—after having been marked for deletion.


Joel Reardon, Hubert Ritzdorf, David Basin, Srdjan Capkun

Secure Data Deletion from Persistent Media

In Proceedings of the ACM Conference on Computer and Communication Security (CCS), 2013

Joel Reardon, David Basin, Srdjan Capkun

SoK: Secure Data Deletion
In Proceedings of the IEEE Symposium on Security and Privacy (S&P), 2013

Joel Reardon, Srdjan Capkun, David Basin

Data Node Encrypted File System: Efficient Secure Deletion for Flash Memory

In Proceedings of the 21st USENIX Security Symposium, 2012

Joel Reardon, Claudio Marforio, Srdjan Capkun, David Basin

Secure Deletion on Log-structured File Systems

In Proceedings of the ACM Symposium on Information, Computer and Communications Security (ASIACCS), 2012
Related Schweizer Fernsehen: Einstein show 9.6.2011
On-line Report and Secure Deletion Application Download: SHREDroid: Secure Deletion for Android