10

I was pondering about this, sometimes people ask me to erase data on their drive. So I use a shredding program, which takes a long time. However what if instead of shredding all the files, I'd just use truecrypt to encrypt them. The disk would be useless then no? Would the data still be recoverable for someone without the password? It would be faster no?

I'd use a strong password. I just want to make the data unusable.

AviD
  • 72,138
  • 22
  • 136
  • 218
Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196

3 Answers3

15

Modern research seems to indicate that performing a single zero-pass of a hard drive is sufficient for most data dispositions. In which case, no, performing a file or partition encryption would not be faster. Except in the case of hardware accelerated encryption (such as the newer Intel i series processors) encryption speed is CPU bound, whereas a single zero-pass would be I/O bound. Even in the face of hardware acceleration, we still run into the problem of performing an I/O bound function, making it no faster.

Sometimes there are specific policies, laws, or regulations that require something more stringent. In these cases you will often have very specific disposition requirements, which you should be following anyway.

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
8

I think that while @Scott is absolutely right - these days, unless you need a multi-pass for regulatory reasons wiping data is fast - the much simpler solution is to have the entire drive encrypted using a strong passphrase, then lose the passphrase when you need to destroy the data.

Your risk will be around someone having a copy of that passphrase. Other than that, the data should be gone.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 5
    Note that most modern remote wipe solutions (where you signal a piece of mobile hardware like a phone "you've been lost/stolen, delete all your data") use exactly this technique because of the speed advantages: they encrypt the whole storage and simply have to securely delete the local copy of the encryption key when they receive the wipe instruction. – Graham Hill Mar 15 '12 at 09:05
-1

Yes, encrypt the drive.

Typically, the pass phrase is only used to derive a key to encrypt/decrypt the real key. This allows changing the pass phrase without re-encrypting the whole drive.

"losing" the pass phrase is still relatively weak: chances are a brute force against the pass phrase will succeed before a brute force against the actual key, (unless you are really paranoid and your pass phrase has more entropy than the key).

So, in addition to losing the pass phrase, you will want to overwrite with random data the area where the key material is stored. This is also why LUKS scatters the key material over a large area -- you are more likely to actually be able to destroy it by overwriting it.

Terrel Shumway
  • 320
  • 1
  • 8