This page uses content from Wikipedia and is licensed under CC BY-SA.
Crypto-shredding is the practice of 'deleting' data by deliberately deleting or overwriting the encryption keys. This requires that the data have been encrypted. Data comes in these three states: data at rest, data in transit and data in use. In the CIA triad of confidentiality, integrity, and availability all three states must be adequately protected.
Getting rid of data at rest like old backup tapes, data stored in the cloud, computers, phones, and multi-function printers can be challenging when confidentiality of information is of concern; when encryption is in place it allows for smooth disposal of data. Confidentiality and privacy are big drivers of encryption.
The motive of deleting data can be: defect product, old product, no further use of data, no legal right to retain data any longer, etc. Legal obligations can come from rules like: the right to be forgotten, the General Data Protection Regulation, etc.
In some cases everything is encrypted (eg. harddisk, computer file, database, etc.) but in other cases only specific data (eg. passport number, social security number, bank account number, person name, record in a database, etc.) is encrypted. In addition the same specific data in one system can be encrypted with another key in another system. The more specific each piece of data is encrypted (with different keys) the more specific data can be shredded.
Example: iOS devices use crypto-shredding when activating the "Erase all content and settings" by discarding all the keys in 'effaceable storage'. This renders all user data on the device cryptographically inaccessible.
The mentioned security issues are not specific to crypto-shredding, but apply in general to encryption. In addition to crypto-shredding, data erasure, degaussing and physically shredding the physical device (disk) can mitigate the risk further.