Reliable Expiration of Data from a Storage System

There is a natural balance between keeping enough copies of data so that it does not get prematurely lost, and assuring that data that should be destroyed is reliably destroyed. This talk describes a technology that enables a storage system to allow a piece of data to be stored with an optional expiration date. After the expiration date the data is impossible to recover from the storage system, even if all of the state of the storage system is captured on backups, including, for instance, copies that are stored offline. Obviously, the answer involves encrypting the data and then discarding keys, but that isn't the entire answer, because it would be necessary to make backup copies of the keys, and once keys are copied, it is difficult to assure that no copies can be recovered after the expiration date. This presentation describes a system that is easy to build, very scalable, and very robust.