Secure deletion

Secure deletion refers to both erasing files from the file system and erasing the MEKs that wrapped the FEKs that were used to encrypt the files.

Securely deleting files in a fileset

After files have been removed from a fileset using standard file system operations (such as unlink and rm), the tenant administrator might decide to securely delete them. For example, suppose that until that point, the FEKs of all files in the fileset were encrypted with the MEK with key name KEY-old:isklmsrv. To cause the secure deletion of all removed files, the administrator must perform the following steps:

Create a new MEK and note its key name (in this example, KEY-new:isklmsrv).
Modify the appropriate encryption policy KEYS statement in the encryption policy to encrypt new files with the new MEK (for example, KEY-new:isklmsrv) instead of the old one (KEY-old:isklmsrv).
Create and apply a migration (rewrapping) policy (CHANGE ENCRYPTION KEYS) to scan all files, unwrap the wrapped FEK entries of files that have been wrapped with the old key (KEY-old:isklmsrv), and rewrap them with the new key (KEY-new:isklmsrv); this step ensures that the FEKs of existing files will be accessible in the future.
Remove the old key, KEY-old:isklmsrv. This step commits the secure deletion of all files that were previously unlinked (and whose FEKs had therefore not been rewrapped with the new MEK, KEY-new:isklmsrv).
On each node that has ever done I/O to a file encrypted with the old key (KEY-old:isklmsrv), run the following command:
```
/usr/lpp/mmfs/bin/tsctl encKeyCachePurge 'KEY-old:isklmsrv'
```

From this point on, the new key will be used for encryption, which will be performed transparently to the application.

Note: The mmdelfs command will not perform any secure deletion of the files in the file system to be deleted. mmdelfs only removes all the structures for the specified file system. To securely delete files, you need to perform the following steps:

Identify all MEKs currently used to wrap the FEKs of files in the file system to be deleted. If this information is not available through other means, obtain it by doing the following:
1. Invoke mmlsattr -n gpfs.Encryption on all files of the file system.
2. Parse the resulting output to extract all the distinct key names of the MEKs that are used.
Note: These are the possible ways that an MEK might be in use in a file system:
1. The MEK is, or was at some point, specified in an encryption rule in the policy set on the file system.
2. An FEK rewrap has been run, rewrapping an FEK with another MEK.
Determine whether the identified MEKs were used to wrap FEKs in other file systems.
WARNING: If the same MEKs were used to wrap FEKs in other file systems, deleting those MEKs will result in irreparable data loss in the other file systems where those MEKs are used. Before deleting such MEKs from the key servers, you must create one or more new MEKs and rewrap the files in the other file systems.
After appropriately handling any MEKs that were used to wrap FEKs in other file systems (as explained in the warning), delete the identified MEKs from their RKMs.

Secure deletion and encryption key cache purging

The key servers that store the MEKs know how to manage and securely delete keys. After an MEK is gone, all files whose FEKs were encrypted with that MEK are no longer accessible. Even if the data blocks corresponding to the deleted files are retrieved, the contents of the file can no longer be reconstructed, since the data cannot be decrypted.

However, if the MEKs have been cached for performance reasons (so that they do not have to be fetched from the server each time a file is created or accessed), the MEKs must also be purged from the cache to complete the secure deletion.

You can use the following command to purge a given key from the key cache, or to clean the entire cache, of an individual node:

 /usr/lpp/mmfs/bin/tsctl encKeyCachePurge {Key | all}

where:

Key: is the key ID, specified with the KeyId:RkmId syntax.
all: specifies that the entire key cache is to be cleaned.

The scope of this command is limited to the local node and must be run on all nodes that have accessed the MEKs you are purging in order to ensure secure deletion.