Re: Shred mount option for ext4?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> >>1. One of the patches performs N overwrites with configurable patterns
> >>(can comply with NIST and NISPOM standards).  Because of the transaction
> >>compaction we had to separately add overwriting as separate transactions.
> >>Fortunately, the whole procedure is still atomic due to the orphan list.
> >>The problem that we have right now is per-file syncing of dirty data
> >>buffers between overwrites.  We sync the whole device at the moment.
> >
> >Did anyone discuss doing this with crypto instead of actually overwriting
> >the whole file?  It would be pretty easy to store a per-file crypto key
> >in each inode as an EA, then to "delete" the file all that would be
> >needed would be to erase the key in a secure matter (which is a great
> >deal easier because inodes don't move around on disk).

Encryption is another possible secure deletion solution.  Usually it is
used by systems that already encrypt the data anyways.  In that case the
key management and run-time overhead costs are already paid.

> >The drawback is there is a runtime overhead to encrypt/decrypt the file

The difference is that in case of encryption there are overheads for read
and write operations whereas in case of overwriting there are overheads
only for infrequent unlink/truncate operations.

> I think that having the data encrypted on disk is a generically useful
> feature, but in this case it might not count for much since the key is
> stored right next to the data in that EA...

Agreed.  Key management is a big issue in any encryption system.  In this
particular solution the key management is simple but there is also no
real protection of the live data.

Nikolai.
-
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Reiser Filesystem Development]     [Ceph FS]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite National Park]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]     [Linux Media]

  Powered by Linux