26

The password manager that I use has instructions to migrate to a new file format:

  • Export existing passwords to a temporary text file
  • Change password manager to new format
  • Import passwords from temporary text file
  • Securely erase the temporary text file

My hard drive is an SSD (solid state drive), which has it's own issues when it comes to securely deleting files (see https://serverfault.com/questions/199672/secure-delete-on-ssd)

Given that I also have full disk encryption turned on, is it safe to just delete the text file normally?

Is there a more secure way to do this (use a RAM disk, export to USB stick then destroy USB stick after the data has been imported?)

Community
  • 1
JonnyWizz
  • 1,961
  • 1
  • 16
  • 34

4 Answers4

30

I would still recommend using secure delete in your scenario. Should your machine be compromised when you are logged in (malware etc), full disk encryption will not protect you from a undelete operation via C&C malware for example.

SSDs have problems erasing files but a number of manufacturers provide utilities for their drives to securely erase a file and while not always perfect has been reviewed to perform well. Furthermore, if your drive supports TRIM, normal Windows 7+ delete should also function fine when the recycle bin is cleaned. This post helped me understand a lot more last year, hope it helps you: https://raywoodcockslatest.wordpress.com/2014/04/21/ssd-secure-erase/

As for a more secure way to delete the password file, sure there are plenty of other creative ways but that all depends on your appetite for pain.

Damn good question, thank you for that!

Joe
  • 1,224
  • 1
  • 11
  • 16
  • 2
    I read the personal documentation you linked to: the author of that article linked to reports stating none of those tools are secure deleting the drives at 100% –  Oct 28 '15 at 17:01
  • 1
    About the TRIM you mentioned, it does not seem to be efficient either: But since TRIM appeared to be enabled, why did I still have thousands of deleted files lying around, including many that were not in the Recycle Bin?, the author says –  Oct 28 '15 at 17:04
  • And after exploring all the tools you mentioned, the author admits they are not secure deleting: The reasoning seemed to be that, if we couldn’t be certain that our files were getting wiped out, at least we could be confident that the pieces that someone would recover would contain no user-readable data.. But here again, as I said in my answer, full disk encryption is not perfect –  Oct 28 '15 at 18:59
  • @Begueradj You are correct that the author provided a personal account but academic research backs up his information. E.g. http://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1124&context=adf or http://static.usenix.org/legacy/events/fast11/tech/full_papers/Wei.pdf These works add complexities such as filesystem types to an already compex topic. I included the personal information since I enjoyed his work.

    On your second comment, please do not selectively quote. At the end of the work the author explains how adjusting the operation of Win7 recycle bin altered the recovery results significantly.

     – Joe Oct 29 '15 at 07:25
  • 1
    @Begueradj it looks like the author didn't know that on Windows TRIM only runs once every night (could be once every week as default) if the PC is running unless you start it manually. You should do a manual TRIM after deleting. It is called 'optimization' and is in the same place the defragment is for other drives. On my notebook it was last run 13 days ago, because the device usually is not powered on during the night! You can also start a TRIM on the shell with defrag c: /o from Win8 on. – Josef Oct 29 '15 at 08:37
  • Not so very reliable source, he just grouped all the articles on that topic, but nothing is a proof in the article... Hammering the low cost USB stick on the other hand is pretty sure. – Dee Nov 06 '15 at 18:16
2

If you're concerned about a threat of a future compromise of the system and an attacker extracting the information, then secure delete will help, but you should also worry about things like search indexing (Spotlight/Windows search) and backup.

If the system is currently compromised, then the secure delete doesn't matter. Malware can read the plaintext passwords, and may have a function to scan newly created files. (Of course, if the system is currently compromised, then you're in a bad state regardless.)

If the system is not compromised, then FDE will probably protect you from losing the disk, but there are concerns. Searching on FDE forensics can be interesting, for example, http://articles.forensicfocus.com/2014/09/23/recovering-evidence-from-ssd-drives-in-2014-understanding-trim-garbage-collection-and-exclusions/

Adam Shostack
  • 2,669
  • 1
  • 11
  • 12
1

For a SSD disk it is probably not enough secure to delete or rewrite the file.

You can do following:

  1. On your SSD you would need to rewrite with zeroes or random all free space (multiple times) after deleting the file, to be at least statistically close to be sure the data gets deleted. There are tools which offer such option. But you will be never sure 100% as switching write-blocks algorithms for each SSD can vary. (This can take a very long time depending on your drive size and amount of free space and can degrade your SSD HDD.)

  2. Filling rest of your SSD HDD with a big files is a good option. DVD ISO file could be a good one. In that case no free blocks are available to be switched, so everything gets overwritten.

Carefully, some damn OS are sensitive for "no more space on disk C:". In that case a combination of 1) and 2) is an option for you as just a small part of the disk is cleared with zeroes multiple times.

If you are mad for security, better would be to:

  1. Not to use your SSD HDD for file transfer, use an cheapest USB stick and scratch/destroy it afterwords (most quick way including anti-stressful hammering the stick) or

  2. Use old good magnetic HDD via USB and securely delete the file traditional way. (standard time, in minutes it could be done)

If you already did the copying file to your SSD, unfortunatelly, options 3) and 4) will not help you.

My favorite is option 2) as you do not need anything else. Good luck with cleaning.

Dee
  • 202
  • 1
  • 7
-4

Certainly saving your passwords in clear text is not wise, especially on the SSD. You will have to securely erase the whole drive to get rid of the traces afterwards.

If you absoluetly have to deal with passwords in clear text, this site provides reasonable instructions on how to proceed. Basically, you'll need to create a temprary encrypted container and save your plain text passwords there, destroying the container once the import is done.

Using a RAM disk is not recommended, because I doubt ramdisk drivers are designed with security considerations in mind (e.g. is there a garantee that RAM drive contents are never swapped to SSD if you're low on memory?) I'd recommend at least disabling the swap during the migration if you choose to export to RAM disk.

Saving on a USB stick doesn't really solve the problem, but replaces it with a different one (how to securely erase the USB stick). Make sure you have the tools to securely erase the stick before you save your plaintext passwords on it.

As a final note, I'd suggest to simply avoid using password management tools which force you to export passwords to plain text during migration. For example, LastPass has an encrypted format for data interchange between different versions.

Dmitry Grigoryev
  • 10,152
  • 1
  • 27
  • 56
  • 4
    Exporting the file to a RAM disk / USB stick will gain you no extra security at all. Why? The data doesn't touch the SSD, and only resides on a volatile device in one case, or on a condemned one in the other. – Davidmh Oct 29 '15 at 11:08
  • I suppose the OP have stored the password container on the SSD at least once. Past this point it is too late for solutions which rely on data never touching the SSD – Dmitry Grigoryev Oct 29 '15 at 11:16
  • 3
    The data is being safely stored in an encrypted vault on the SSD. The plain text is only a temporary step for changing formats; that is what shouldn't touch the drive. – Davidmh Oct 29 '15 at 12:31
  • Thanks, I missed that. In that case, my advice would be not to use the said password manager at all. Exporting passwords to plain text is a security disaster. How do you guarantee the plain text file doesn't get stored in various buffers and disk caches and ends up on the SSD via the swap file anyway? – Dmitry Grigoryev Oct 29 '15 at 12:40
  • You guarantee that the file never touches a disk by writing it to a proper ramdisk, one that won't get swapped to disk (and thus won't end up in any disk caches). If you're worried about it hanging around in memory afterwards, you can reboot. If you're really worried, run memtest or something on the machine. – Blacklight Shining Oct 30 '15 at 22:31