Erasing the Trace: The Mechanics of the Emergency Wipe
A deep dive into software-level filesystem encryption and the emergency wipe: how key destruction renders data unrecoverable, what re-provisioning looks like, and where the honest limits of a software wipe sit.
Guardian Pro uses software-level filesystem encryption. The emergency wipe works by destroying the keys that protect the encrypted volume — once the keys are gone, the data is unrecoverable without them. There is no hardware secure element doing the crypto here, and we say so plainly.
How key destruction beats overwriting
Overwriting an entire storage device is slow and unreliable on flash memory, which remaps blocks underneath you. Destroying the small set of keys that decrypt the volume is near-instant and complete: the ciphertext remains, but it is mathematically inaccessible. This is the mechanism behind a credible emergency wipe.
The honest limits
- This is software-level encryption, not a hardware secure enclave.
- If an adversary imaged the device and captured keys earlier, the wipe cannot undo that.
- A wipe is destructive — recovery means re-provisioning the device through support.
Re-provisioning after a wipe
After an emergency wipe the device is intentionally blank. Restoring it is a deliberate support process, not a one-tap undo — that friction is the point. We handle re-provisioning over Signal; we do not use PGP.
FAQ
Is the encryption hardware-backed?
No. It is software-level filesystem encryption. We do not claim a hardware crypto element.
Can a wiped device be recovered?
Not the wiped data — that is the goal. The device itself can be re-provisioned through support.
Updated June 2026.