All of lore.kernel.org
 help / color / mirror / Atom feed
From: Andreas Dilger <adilger@dilger.ca>
To: Mingming Cao <cmm@us.ibm.com>
Cc: Amir Goldstein <amir73il@gmail.com>,
	Allison Henderson <achender@linux.vnet.ibm.com>,
	linux-ext4@vger.kernel.org
Subject: Re: [PATCH 1/2 v3] EXT4: Secure Delete: Zero out file data
Date: Fri, 8 Jul 2011 17:49:25 -0600	[thread overview]
Message-ID: <507FA19B-1395-4237-98BF-7CD65F80A120@dilger.ca> (raw)
In-Reply-To: <1310149225.2970.2.camel@mingming-laptop>

On 2011-07-08, at 12:20 PM, Mingming Cao wrote:
> On Fri, 2011-07-08 at 03:09 +0300, Amir Goldstein wrote:
>> I realized that there is a basic flaw in the concept of deferred-secure-delete.
>> From a security point of view, after a crash during a secure-delete,
>> if the file is not there, all its data should have been wiped.
>> Orphan cleanup on the next mount may be done on a system that
>> doesn't respect secure delete.
>> So for real security, the unlink/truncate command cannot return before
>> all data is wiped.
> 
> I agree. I think the user who expect secure delete will be expecting the
> data being completely wiped off from disk, instead of wondering when the
> OS/fs will really get rid of the data on the hidden inode by background
> thread.  Secure delete should be synchronous.

I'm not going to argue further for async secure delete, but just wanted
to point out that userspace can determine when the "shred" is safely done
on disk (or any other operation for that matter) by doing a sync afterward.
It wouldn't have to "wonder" about anything.

My original proposal for using the delete thread included having sync()
block until all of the background secure unlink/overwrite operations were
finished.  That would allow deleting many files at one time, and then
sending all of the requests to the disk more efficiently.


I am just imagining some Enron accountant sweating for hours as his sync
secure-delete is running at 50-100 files/sec (seek limit if there are
1 or 2 seeks/file) on a filesystem with 1M files in it, instead of being
able to delete 50000 files/sec asynchronously and wait a few minutes at
the end as the sync completes. ;-)

A better solution is to just encrypt the data with a per-inode key and
then just overwrite the inode securely when it is unlinked, so when the
key is erased the data is unrecoverable.  I imagine that ecryptfs or
similar might do something like that (I don't know much about it, honestly).


Note that this should probably get an EXT4_FEATURE_COMPAT_SECDEL flag, so
e2fsck knows to also wipe secure-delete files when they are unlinked due
to inode corruption, or similar.

This reminds me I also have an e2fsck patch that we've been carrying for a
few years for shared block handling that allows e2fsck to optionally move
inodes to lost+found, delete them, or wipe the shared blocks option.  This
is necessary to avoid data leakage between users in case there is some
corruption that links one user's inode to another user's blocks.  I'll send
that in another email.

Cheers, Andreas






  reply	other threads:[~2011-07-08 23:49 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-06-30 21:22 [PATCH 0/2 v3] EXT4: Secure Delete Allison Henderson
2011-06-30 21:22 ` [PATCH 1/2 v3] EXT4: Secure Delete: Zero out file data Allison Henderson
2011-06-30 22:15   ` Andreas Dilger
2011-07-01  0:54     ` Allison Henderson
2011-07-01  1:18       ` Martin K. Petersen
2011-07-01  1:41         ` Allison Henderson
2011-07-01 10:26   ` Lukas Czerner
2011-07-01 16:21     ` Allison Henderson
2011-07-02  9:33   ` Amir Goldstein
2011-07-03  7:00     ` Andreas Dilger
2011-07-03  7:37       ` Amir Goldstein
2011-07-04 17:19         ` Allison Henderson
2011-07-04 17:44           ` Amir Goldstein
2011-07-04 18:19             ` Andreas Dilger
2011-07-04 19:09               ` Allison Henderson
2011-07-06 21:05     ` Allison Henderson
2011-07-07  7:05       ` Amir Goldstein
2011-07-07 19:52         ` Andreas Dilger
2011-07-07 20:19           ` Allison Henderson
2011-07-08  0:09             ` Amir Goldstein
2011-07-08  1:55               ` Allison Henderson
2011-07-08  6:29                 ` Amir Goldstein
2011-07-08 20:43                   ` Allison Henderson
2011-07-10 23:13                   ` Ted Ts'o
2011-07-11 10:01                     ` Amir Goldstein
2011-07-08  2:46               ` Andreas Dilger
2011-07-08  5:46                 ` Ric Wheeler
2011-07-08  6:11                 ` Amir Goldstein
2011-07-08 18:20               ` Mingming Cao
2011-07-08 23:49                 ` Andreas Dilger [this message]
2011-07-10  8:19                   ` Ric Wheeler
2011-07-10 23:33                     ` Ted Ts'o
2011-07-11  6:42                       ` Ric Wheeler
2011-07-11  8:20                         ` Lukas Czerner
2011-07-11 14:24                           ` Allison Henderson
2011-06-30 21:22 ` [PATCH 2/2 v3] EXT4: Secure Delete: Zero out files directory entry Allison Henderson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=507FA19B-1395-4237-98BF-7CD65F80A120@dilger.ca \
    --to=adilger@dilger.ca \
    --cc=achender@linux.vnet.ibm.com \
    --cc=amir73il@gmail.com \
    --cc=cmm@us.ibm.com \
    --cc=linux-ext4@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.