If a hard drive is encrypted, is it still possible to retrieve data off of it? What about if the password to decrypt it is known? If this is the case, given that OSX now encrypts your drive by default, does that mean every mac in the world, has data that cannot be retrieved after deletion?
-
1possible duplicate of [Is it possible to recover securely deleted data from H.D.D using the forensics?](http://security.stackexchange.com/questions/53253/is-it-possible-to-recover-securely-deleted-data-from-h-d-d-using-the-forensics) – RoraΖ Jul 30 '15 at 15:43
-
1@raz: I'm not convinced this is a duplicated, since here the data is not securely deleted. The question here seems merely to actually know if it remains useful to delete securely files in an encrypted partition. – WhiteWinterWolf Jul 30 '15 at 15:49
-
@WhiteWinterWolf The OP states that "it may be possible to retrieve data off a harddrive even when they've been **wiped several times**". This would imply some attempt at [secure deletion](https://security.stackexchange.com/questions/10464/why-is-writing-zeros-or-random-data-over-a-hard-drive-multiple-times-better-th). I could be wrong, maybe the OP can clarify. – RoraΖ Jul 30 '15 at 16:42
-
@raz: I think this is just an intro to highlight the fact that, in general, "deleted" files may still remain retrievable. Only then the OP begins with his actual question. I admit that such intro also has the side effect to mislead the reader... I actually think it could even be safely deleted. – WhiteWinterWolf Jul 30 '15 at 16:48
-
@Olppa: Since you do not mention disk wiping neither in the title nor in the actual question (you only mention disk encryption), I assumed as stated in my comment above it was some kind of intro. If I'm wrong and you actually meant if it was possible to retrieved data from an encrypted disk wiped several times, feel free to undo my edit by clicking on the "edited ... ago" link you will find below your post then selecting "Rollback". – WhiteWinterWolf Jul 30 '15 at 16:56
4 Answers
All current disk encryption methods strength relies on the key secrecy.
- While your key remains a secret (and it needs to be strong enough to remain one), then the content of your disk at rest remains a secret. I say "disk at rest" because when the computer is running, ie. you already unlocked the drive yourself, then your file-system is accessible and also the secret key could be retrieved from your computer RAM.
When, since you mentioned this situation in your question, the key is known by the attacker, then the disk encryption does not bring any value anymore. If your file-system keeps the data of deleted files on the disk, then this data will still be recoverable.
The encryption mechanism and the file-system are two different layers, the encryption goal is to protect unauthorized access attempts to the file-system, but once this obstacle is removed then the file-system becomes freely accessible and keeps the same properties as in unencrypted disks (there might possibly be however some subtleties coming with the abstraction brought by this supplementary encryption layer and making data retrieval more difficult, but I would not rely on such side-effect to bring any real security).
So, if the question here is "Should I wipe highly sensitive files in case I am forced to reveal my encryption key", the answer is that this makes sense. Apart from such case, secure file deletion will not bring any value against attacker ignoring your secret key.
- 19,142
- 4
- 59
- 107
-
Can you please clarify what you mean by " Apart from such case, secure file deletion will not bring any value against attacker ignoring your secret key."? – Motivated Dec 29 '18 at 17:10
Macs use FileVault to encrypt your data. It's been available on prior OS X versions, but I believe now with Yosemite, it's encouraged to use it and much easier for the standard user to toggle it. This encrypts your hard drive.
Technically, it would still be possible for someone to retrieve the data from an encrypted drive. To crack AES, you would need a lot of money and a very powerful machine. The likelihood of someone getting your data would be extremely low. Someone with lots and lots of time, money, and resources (government)....maybe?
- 423
- 4
- 13
It is doable to crack 1024-bit RSA keys but it takes many years as you can test here; so that is why Apple defies FBI and offers encryption by default on new operating system . So if you have precious information to hide, there is a way, for a skilled and well equipped team, to take advantage of data remanence using cold boot attack if you choose to leave your laptop in a sleep state instead of powering it down.
Conclusion: for at least twenty years up, encrypt your disks and do not worry that much.
Any data that is encrypted with publicly available encryption can be decrypted... otherwise I can assure you that it such encryption algo's would not be available to the public. For the "every day user" there are no options for encryption that are not able to be broken. Our government would not and does not allow it.
"Deleting" data from a hard drive is an essentially meaningless term. It just "frees up" that particular block/segment of memory space for future data... now this is a general rule and there may be particular implementations which remove or attempt to remove any data that is on the drive at that time but in the 'typical' use of the word "deleting" then, no, it does not actually 'remove' the data itself... again, just frees up that memory address to hold other data.
Quick and short answer to your question: Yes, the data can be retrieved in almost all but the most extreme cases. But the issue is at what level of computational time and space is required to do so...
- 181
- 5
-
Can you explain how can decrypt encrypted data when *"publicly available encryption"* is used without knowing the encryption key? – RoraΖ Jul 30 '15 at 13:29
-
I was addressing the question as asked: "... if the password to encrypt it is known..." so that is the context of my reply. – RatboySTL Jul 30 '15 at 13:33
-
you may want to clarify your answer then, you don't make reference to "if the user has the password" and it could make people think that you were saying that it was possible to break the encryption itself, instead of just decrypting it using the correct key. – Rory McCune Jul 30 '15 at 14:34