Every organization needs backups, but sometimes you want backups to go away:
Suppose you have a policy where certain types of personal records, like health records, have to be destroyed after a year. It’s very difficult to just delete something, because it may be on backup tapes."
Radia Perlman concisely defines the problem, and she has a simple solution, too. Incidentally, she adds, "It should be a law that with any vendor you could say, ‘Do not keep a permanent copy of my information in your database. Delete it after one month.’ I don’t want that stored — my name and address and credit card number — because it can be broken into." Perlman’s solution, in a nutshell: Encrypt the data, then, when you no longer want it around, throw away the key.
Radia’s solution she phrases as a legal solution, but it’s really technical and social:
Incidentally, she adds, "It should be a law that with any vendor you could say, ‘Do not keep a permanent copy of my information in your database. Delete it after one month.’ I don’t want that stored — my name and address and credit card number — because it can be broken into."
Perlman’s solution, in a nutshell: Encrypt the data, then, when you no longer want it around, throw away the key. Disappearing Act: Sun Engineer Radia Perlman Makes Technologies Transparent 8.Feb.05, Contrarian Minds
So given that encryption is needed anyway to keep the backups from being stolen, go one step farther and make the encryption the means to make the backups vanish when their time has come.
-jsq
The biggest problem I have with the whole setup is that you have to still rely on Bob or his system to securely delete the unencrypted data after its temporary use and also delete the private part of ‘Keph’ that the Ephemerizer sends to Bob.
If you trust Bob to do so much, you might as well trust him to do the Epemerizer’s part – deleting the session key pair once the deadline has passed!