[linux-lvm] Virtualization and LVM data security

linux-lvm.redhat.com archive mirror
 help / color / mirror / Atom feed

From: IB Development Team <dev@ib.pl>
To: linux-lvm@redhat.com
Subject: [linux-lvm] Virtualization and LVM data security
Date: Fri, 24 Oct 2014 19:30:12 +0200	[thread overview]
Message-ID: <544A8CA4.2030506@ib.pl> (raw)

Hello,

Is there any way to make LVM2 tools wipe added/freed LV space or plans to add such functionality?

When LVM based storage is used for guest virtual disks, it is possible that after 
resizing/snapshoting LV, disk data fragments from one guest will be visible to other guest, which 
may cause serious security problems if not wiped somehow; some pages with more info in this topic:

http://blog.brightbox.co.uk/posts/secure-virtual-disk-deletion-is-your-data-safe
http://brightbox.com/blog/2012/04/27/dirty-disks/
http://docs.openstack.org/security-guide/content/ch046_data-residency.html

Don't know LVM2 internals well but if there is no such functionality in LVM2 now, maybe adding 
options like --wipe and --wipe-bandwidth (to allow one to control I/O load while wiping) for 
create/resize/remove/snapshot commands (and other maybe if such risk exist there) will be possible 
in future LVM versions to better meet security requirements in virtualized environments?

Regards,
Pawel

IB Development Team
http://dev.ib.pl/

next             reply	other threads:[~2014-10-24 17:30 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-10-24 17:30 IB Development Team [this message]
2014-10-25 12:50 ` [linux-lvm] Virtualization and LVM data security Zdenek Kabelac
2014-10-25 17:38   ` IB Development Team
2014-10-25 20:43     ` Zdenek Kabelac

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=544A8CA4.2030506@ib.pl \
    --to=dev@ib.pl \
    --cc=linux-lvm@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).