Delete/Remove Wallet - shred/overwrite, or merely filesystem delete?

[jbreher]

I am moving Armory off a system that will continue to be used for other tasks. When I ultimately decommission this system months or years in the future, it is likely I will not recall using Armory upon it. Accordingly, I want to render all wallet data on this machine unrecoverable.

Will Delete/Remove Wallet shred the wallet, rendering it unrecoverable by normal forensic methods? Or does it just do a filesystem delete?

If the latter, I'll need to shred the files directly. Are the .wallet files the only files I need to concern myself with shredding/overwriting?

[goatpig]

Assuming you don't hold your .wallet files on a SSD, you'll have to shred them yourself. You only need to concern yourself with .wallet files.

[jbreher]

Hmm. Things are not so rosy. Selecting 'Delete/Remove Wallet' in the GUI not only deletes the view of the underlying .wallet file within Armory, but also performs some sort of delete action upon the .wallet file upon the underlying filesystem.

As the .wallet file no longer exists, it is unable to be shredded.

I thought to quit Armory, recover the .wallet file, then shred it. Unfortunately, I can find no normal recover tool that will work. Evidently, this has to do with ext3 completely zeroing the inode. Of course, this is probably more secure that merely unlinking it, however, the data sectors are presumably still on the disk somewhere.

What is the expected sequence for someone who wants to secure-erase a wallet?

[etotheipi]

We have shied away from tackling this problem, because it's really out of scope for us (the core devs have too).  There's so many different filesystem types that have their own ways of handling data on disk.  We could do a PhD on how secure-delete files on each one, and it still would probably not be perfect, and only handle a subset of the filesystems out there. 

My recommendation is that if you really want to wipe it, you shred the entire drive from a live CD and then reinstall your OS.  Alternatively, one thing that theoretically should work, would be to make sure the wallet is deleted, and then do something like "dd if=/dev/urandom of=tempfile.bin" (if linux), which will create a single file full of random bits that will eventually consume all unused space on your disk.  This will force the OS to overwrite all sectors marked as deleted.  Then, if the system is still functional, you can remove the file.  Repeat a few times to enforce "shredding".  Though, depending on the OS, strange things can happen when you literally fill your last byte of free space. 

[Holliday]

What is the expected sequence for someone who wants to secure-erase a wallet?

+



=

[jbreher]

Thanks for chiming in etotheipi. I guess from goatpig's description, I anticipated that the 'Delete/Remove Wallet' would have just removed the wallet from Armory's inventory. This would have allowed me to use shred or any other of a number of command-line invocations to perform a secure overwrite algorithm upon the underlying file.

Having said that, I could see that the typical user would probably not follow up with the shred after removing the wallet from Armory's inventory. For such users, your current implementation is probably best.

Now having said that, I'll go on to ask about the general case. Let us assume I had another installation of Armory, and I just wanted to remove one wallet from it's inventory. Could I shred the file without Armory running? How confused would Armory get about the missing wallet when I restart it?

[jbreher]

Thanks Holliday - but not really applicable to my situation. You must have missed my opening sentence where I said "I am moving Armory off a system that will continue to be used for other tasks."

My day gig is in the data storage industry. My work occasionally has me creating storage subsystems for military applications. Sometimes, this involves testing of secure erase capabilities. On occasion, I've had the glee of being the guy that flips the switch on both incendiary (thermite) and explosive (C4) tests of 'plane's going down behind enemy lines, must destroy all data' contingencies.

[goatpig]

Armory won't care about a deleted wallet. Go ahead and shred them yourself instead of deleting them through Armory.

My advice to you would be to run Armory with its data dir pointed at an encrypted folder. You can use the --datadir="mypath" command line argument to achieve that. Make sure to move the DB dir to another location with the --dbdir="mydbpath" arg.

It side steps the shredding issue by keeping the wallets and their left overs encrypted.

[Holliday]

Thanks Holliday - but not really applicable to my situation. You must have missed my opening sentence where I said "I am moving Armory off a system that will continue to be used for other tasks."

My day gig is in the data storage industry. My work occasionally has me creating storage subsystems for military applications. Sometimes, this involves testing of secure erase capabilities. On occasion, I've had the glee of being the guy that flips the switch on both incendiary (thermite) and explosive (C4) tests of 'plane's going down behind enemy lines, must destroy all data' contingencies.

Sorry, I see some one talking about wiping data and I get all worked up about using thermite and whatnot! I'm probably a bit paranoid and like to be thorough!

Your job sounds like it is occasionally loads of fun (and may or may not be fun the rest of the time too)!