From: Austin S Hemmelgarn <ahferroin7@gmail.com>
To: Chris Murphy <lists@colorremedies.com>,
Btrfs BTRFS <linux-btrfs@vger.kernel.org>
Subject: Re: Ideas for a feature implementation
Date: Mon, 11 Aug 2014 22:27:22 -0400 [thread overview]
Message-ID: <53E97B8A.4010304@gmail.com> (raw)
In-Reply-To: <678801E6-E1C8-42B5-8D50-C59B68549EC4@colorremedies.com>
On 08/11/2014 04:27 PM, Chris Murphy wrote:
>
> On Aug 10, 2014, at 8:53 PM, Austin S Hemmelgarn
> <ahferroin7@gmail.com> wrote:
>
>>
>> Another thing that isn't listed there, that I would personally
>> love to see is support for secure file deletion. To be truly
>> secure though, this would need to hook into the COW logic so that
>> files marked for secure deletion can't be reflinked (maybe make
>> the automatically NOCOW instead, and don't allow snapshots?), and
>> when they get written to, the blocks that get COW'ed have the old
>> block overwritten.
>
> If the file is reflinked or snapshot, then it can it be secure
> deleted? Because what does it mean to secure delete a file when
> there's a completely independent file pointing to the same physical
> blocks? What if someone else owns that independent file? Does the
> reflink copy get rm'd as well? Or does the file remain, but its
> blocks are zero'd/corrupted?
The semantics that I would expect would be that the extents can't be
reflinked, and when snapshotted the whole file gets COW'ed, and then
inherits the secure deletion flag, possibly with another flag saying
that the user can't disable the secure deletion flag.
>
> For SSDs, whether it's an overwrite or an FITRIM ioctl it's an open
> question when the data is actually irretrievable. It may be
> seconds, but could be much longer (hours?) so I'm not sure if it's
> useful. On HDD's using SMR it's not necessarily a given an
> overwrite will work there either.
By secure deletion, I don't mean make the data absolutely
unrecoverable by any means, I mean make it functionally impractical
for someone without low-level access to and/or extensive knowledge of
the hardware to recover the data; that is, more secure than simply
unlinking the file, but obviously less than (for example) the
application of thermite to the disk platters. I'm talking the rough
equivalent of wiping the data from RAM.
Anyone who is truly security minded should be using whole disk
encryption anyway, but even then you have the data accessible from the
running OS.
next prev parent reply other threads:[~2014-08-12 2:27 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-10 19:21 Ideas for a feature implementation Vimal A R
2014-08-11 2:53 ` Austin S Hemmelgarn
2014-08-11 20:27 ` Chris Murphy
2014-08-12 2:27 ` Austin S Hemmelgarn [this message]
2014-08-12 3:04 ` Chris Murphy
2014-08-12 15:52 ` David Pottage
2014-08-12 17:34 ` Austin S Hemmelgarn
2014-08-13 12:26 ` Brendan Hide
2014-08-12 16:38 ` Erkki Seppala
2014-08-12 11:00 ` Konstantinos Skarlatos
2014-08-13 11:01 ` David Pottage
2014-08-13 11:05 ` Konstantinos Skarlatos
2014-08-17 21:17 ` Chris Murphy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53E97B8A.4010304@gmail.com \
--to=ahferroin7@gmail.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=lists@colorremedies.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).