Crypto-shredding is a data destruction technique that consists in destroying the keys that allow the data to be decrypted, thus making the data undecipherable.


Data destruction is a major issue in data protection regulations such as the GDPR in the context of exercising an individual's right to erasure.

在行使个人删除权的背景下,数据销毁是 GDPR 等数据保护法规中的一个主要问题。

When a company exercises a person's right to erasure, it must search all databases, all object or flat storage, all logs (and their backups) to find all occurrences of a piece of data, and delete them.


Anyone who has ever been confronted with such a request will know that this is not easy:


  • it is difficult, if not impossible, to delete data contained in a backup (not to mention the backups that are silently made by the hosting companies);
  • 删除备份中包含的数据即使不是不可能也是很困难的(更不用说托管公司默默制作的备份了);
  • the same data is often replicated in different forms in the infrastructure;
  • 相同的数据经常在基础设施中以不同的形式复制;
  • deletion in a relational database can trigger a cascade of involuntary deletions;
  • 关系数据库中的删除可能会触发级联的非自愿删除;
  • and so on.
  • 等等。

Crypto-shredding changes the approach to the problem: instead of searching / cataloguing all versions of a piece of data across the entire infrastructure, the problem is centralized on one encryption key for all versions of a piece of data.


When a piece of data is first collected, it is encrypted with a centrally managed individual key. The encrypted data is stored, backed up, replicated normally, decrypted each time it is used, and as soon as a new version is produced, it is encrypted with the same key.


When you want to delete the piece of data, you don't need to start an archaeological dig, you just have to destroy the encryption key, which is managed centrally.


If the encryption key used to decrypt a piece of data is destroyed and there is no copy of it, this prevents anyone from decrypting the piece of data. This is called crypto-shredding a piece of data.

如果用于解密数据的加密密钥被破坏并且没有其副本,则任何人都无法解密该数据。 这称为加密粉碎数据。

The original data could then only be reconstructed by “breaking” the encryption, which with modern and robust algorithms is considered impossible. If “breaking” the cipher were possible on a given algorithm, then the algorithm used would be judged as vulnerable and would have to be abandoned.

原始数据只能通过“破解”加密来重建,而这对于现代且强大的算法来说是不可能的。 如果在给定的算法上“破解”密码是可能的,那么所使用的算法将被判断为易受攻击并且必须被放弃。

Thus, crypto-shredding a piece of data is equivalent, in terms of risk of data breach, to deleting the data.


Three limitations exist with crypto-shredding:


  • if the encryption is poorly implemented (e.g., using vulnerable algorithms) crypto-shredding of a data would not be equivalent to deleting it;
  • 如果加密实施不当(例如,使用易受攻击的算法),数据的加密粉碎并不等同于删除它;
  • since crypto-shredding does not delete the encrypted data, the encrypted data would still take up disk space;
  • 如果加密实施不当(例如,使用易受攻击的算法),数据的加密粉碎并不等同于删除它;
  • keys have to be managed for each data and decryption operations have to be performed at each use, which requires a well organized key management, and secure deletion of the keys in paramount to crypto-shredding.
  • 必须为每个数据管理密钥,并且必须在每次使用时执行解密操作,这需要组织良好的密钥管理,并且安全删除密钥对于加密粉碎至关重要。