[Cryptography] WIPEONFORK in Linux 4.14
Nico Williams
nico at cryptonector.com
Sat Nov 25 18:46:52 EST 2017
On Sat, Nov 25, 2017 at 08:01:40AM -0800, Henry Baker wrote:
> Many (most ?) file ops now occur in *virtual machines*, which include
> *virtual disks* which can be *dynamically allocated*. In particular,
> blocks which are *all zeros* aren't stored at all, so these virtual
> disk images are "sparse arrays" of non-zero blocks.
So there's a turtle holding a turtle ...
The bottom-most turtle, however, may have the same troubles ensuring
deltion as any other bottom-most turtle. It's still not easyy.
> It's actually worth zeroing out these blocks (cleverly, of course),
> so that they take up no space and no transfer bandwidth.
Zeroing out blocks need not have the effect you seek. This is why a
TRIM command was added so that devices could be told of a block's
"deletion".
> So what I'm suggesting is *in addition to* using encryption,
> automatically zero out deleted files.
Doesn't help more than encryption and key erasure, but since key erasure
itself ultimately depends on being about to overwrite actual blocks on
the storage device proper, it ultimately comes down to whether the
stack of filesystems, device drivers, and firmware, can manage to track
all the locations to overwrite, and then do it.
This is all very difficult to ensure in a simple stack in the absence of
VMs. It's harder still to ensure when using VMs.
It's still, today, much easier to securely destroy an entire storage
device than it is to ensure secure deletion of a file.
Nico
--
More information about the cryptography
mailing list