This paper describes a system that supports high availability of data, until the data should be expunged, at which time it is impossible to recover the data. This design supports three types of assured delete; expiration time known at file creation, on-demand deletion of individual files, and custom keys for classes of data. The obvious approach, of course, is to encrypt the data on nonvolatile storage, and then destroy keys at the appropriate times. However, managing ephemeral keys; robustly keeping them for some amount of time, and then reliably destroying every copy, is difficult. We partition the problem so that the burden of ephemeral key management can be outsourced to a minimally trusted third party we refer to as an “ephemerizer”, with negligible performance overhead, resulting in a file system that is easy and inexpensive to manage.
Radia J. Perlman