From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id icVKqBlHvlJJ for ; Fri, 24 Aug 2012 17:23:12 +0200 (CEST) Received: from gerolde.archlinux.org (gerolde.archlinux.org [66.211.214.132]) by mail.saout.de (Postfix) with ESMTP for ; Fri, 24 Aug 2012 17:23:12 +0200 (CEST) Received: from [134.61.65.222] (65-222.eduroam.rwth-aachen.de [134.61.65.222]) by gerolde.archlinux.org (Postfix) with ESMTPSA id 8E27B9200C for ; Fri, 24 Aug 2012 11:22:11 -0400 (EDT) Message-ID: <50379C59.5020908@archlinux.org> Date: Fri, 24 Aug 2012 17:23:05 +0200 From: =?ISO-8859-15?Q?Thomas_B=E4chler?= MIME-Version: 1.0 References: <50379888.7060202@redhat.com> In-Reply-To: <50379888.7060202@redhat.com> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig68CAA3E8A066AFBAF5A648AD" Subject: Re: [dm-crypt] SSDs & flash... and secure keyslot erase List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig68CAA3E8A066AFBAF5A648AD Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Am 24.08.2012 17:06, schrieb Milan Broz: > For now LUKS keyslot deletion is the same as 2) but there is "secure di= scard" > in Linux supported already which should guarantee that data (and all it= s copies > inside the drive) is wiped (zeroed). >=20 > Next release of cryptsetup will try to run this erase on non-rotatinal = disks > for keyslots. (But most of drives do not support it yet anyway.) How can I find out if my SSD supports this? > Also the situation is complicated if image is not disk, but file in fil= esystem or there > are more device layers (sw RAID, thin provisioning). > For disk image, we can try to use "punch hole" mechanism. >=20 > But there is no perfect solution. Interesting write-up. If you are really paranoid, it seems you must back up all data, perform ATA security erase and put the data back on the disk (and then perform ATA security erase on the backup). --------------enig68CAA3E8A066AFBAF5A648AD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCAAGBQJQN5xbAAoJEChPw0yOSxoltoUQAMc2rWFpvNRiGRREcWRuPA4d Pfytmi2SSUow1N/C9/FlcUYIw+gPRRyvNJBzO6xMWuTFVJKNbluA23C15ggf8Twx sN/5pFGH1SjgpQgkeg/OX9T6RQu7Qgdm0UT/+sbDJIp3F1Y5nGQy2vsnQpBvRcnP 2d2L3nUAWsiuhlvgTKt+WA3igACJGN9+SYKGZHEpd8GiF4bQSCUhCawNwhVBVIRh KU6aJzK9PS2ayXA80YqbmBjR85Tk03ztbc/mYop2Tzq0MO4wV4etjFNFiUKUByiV PTPZjMK5zmaUvtTk9nwjZ3OBz7MGXq1tKs15YE+3O/Q/oRD/7MWJ0zyQCeObEK7x eq5txKZCHBYWmzEbl0ZyDKekvPh9IvW+VdOE6cfzDFca36kNxmhfMv8Jvr+VSclA JoHkRH1K4BubjaEdTkdfkYShUuHeW7u9iL+RnBFwAjowIg4InaTUttp74Mjk5UKc 62OTaSgzf+Cw0qIzQAJ1jNTZMMSZeXW4xVm5xtKe5C6YO1UuIn0WBp4meoE9t2dG +UcE6i9L6FYEkr2Js1qvabMTNVimgy/XDKxNYbFW5zQEPpjzOI+1OjKpq6ZP3yWM 7oIgn6eiYtJ/sjIOLIvYP24EOSC4VqbJ6j0Ar9o83AMnUC5/AU9qs/iEH79Q/VNR yMGePf0Xi14DbzD5aUiM =pB6g -----END PGP SIGNATURE----- --------------enig68CAA3E8A066AFBAF5A648AD--