On 07/19/2016 11:28 AM, Scott Sullivan wrote: > > Could someone please clarify if there is a legitimate reason to worry > about data security of a old (removed) LVM snapshot? > > For example, when you lvremove a LVM snapshot, is it possible for data > to be recovered if you create another LVM and it happens to go into > the same area as the old snapshot we lvremoved? > > If this helps clarify, do we have to worry about security scrubbing a > LVM snapshot for data security ? Yes, the snapshot LV will contain (obsolete) copies of any sectors (actually chunks) written to during the life of the snapshot. However, you still have the live data in the same VG, so it doesn't present any additional exposure. Anyone with access to the raw disk can just read the live LV as well as the snapshot. You real question, however, is probably about creating a new LV, and whether reading that new LV will read old contents of the disk. Allocating a new LV only zeros the first 4k of the volume. Reading the LV will pick up all the leftover garbage from previous contents - a Very Bad Thing security wise. This is arguably a bug. Solutions I've seen proposed: 1) use dd to zero the volume after allocating - this is what you should do today 2) allocate a snapshot of an existing image - this solves the security problem but has performance problems 3) LVM should have an option to logically zero a new LV - this is simple in concept, but maybe not so trivial to make bug free. The LV allocates a bitmap of all the chunks. All chunks return zeros until written to. A 100G LV with 65k chunks would need only 200K for the bitmap - so the overhead is quite small. You could even keep the bitmap in chunks that have never been written to, with a pointer in metadata, moving it around as necessary - but that would be even harder to make bug free. _______________________________________________ linux-lvm mailing list linux-lvm@redhat.com https://www.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
