Crypto-shredding is a data destruction technique that consists in destroying the keys that allow the data to be decrypted, thus making the data undecipherable.
Difficulty of data destruction
Data destruction is a major issue in data protection regulations such as the GDPR in the context of exercising an individual's right to erasure.
在行使个人删除权的背景下，数据销毁是 GDPR 等数据保护法规中的一个主要问题。
When a company exercises a person's right to erasure, it must search all databases, all object or flat storage, all logs (and their backups) to find all occurrences of a piece of data, and delete them.
Anyone who has ever been confronted with such a request will know that this is not easy:
- it is difficult, if not impossible, to delete data contained in a backup (not to mention the backups that are silently made by the hosting companies);
- the same data is often replicated in different forms in the infrastructure;
- deletion in a relational database can trigger a cascade of involuntary deletions;
- and so on.
Crypto-shredding changes the approach to the problem: instead of searching / cataloguing all versions of a piece of data across the entire infrastructure, the problem is centralized on one encryption key for all versions of a piece of data.
When a piece of data is first collected, it is encrypted with a centrally managed individual key. The encrypted data is stored, backed up, replicated normally, decrypted each time it is used, and as soon as a new version is produced, it is encrypted with the same key.
When you want to delete the piece of data, you don't need to start an archaeological dig, you just have to destroy the encryption key, which is managed centrally.
How it works
If the encryption key used to decrypt a piece of data is destroyed and there is no copy of it, this prevents anyone from decrypting the piece of data. This is called crypto-shredding a piece of data.
The original data could then only be reconstructed by “breaking” the encryption, which with modern and robust algorithms is considered impossible. If “breaking” the cipher were possible on a given algorithm, then the algorithm used would be judged as vulnerable and would have to be abandoned.
Thus, crypto-shredding a piece of data is equivalent, in terms of risk of data breach, to deleting the data.
Three limitations exist with crypto-shredding:
- if the encryption is poorly implemented (e.g., using vulnerable algorithms) crypto-shredding of a data would not be equivalent to deleting it;
- since crypto-shredding does not delete the encrypted data, the encrypted data would still take up disk space;
- keys have to be managed for each data and decryption operations have to be performed at each use, which requires a well organized key management, and secure deletion of the keys in paramount to crypto-shredding.