Unfortunately this is impossible to achieve. Unless you can guarantee that the same physical pieces of disk are going to always be mapped to the same parts of the RBD device then you will leave data lying around on the array. How easy it is to recover is a bit of a question about how valuable the data is to someone.
Ceph moves data around at the backend which means there could be old blocks left on OSD’s that contain the user data. There is no guarantee as to how long those pieces of data will be around for. If your RBD device is on SSD/NVME then you cannot get to all the blocks that contain your data unless you use the manufacturer supplied utilities to erase the device completely. This problem is overcome with encrypted OSD’s but it doesn’t help your end user RBD device that needs to be deleted. If the RBD devices had snapshots of it then there is even more copies of the data within the array which you cannot directly access. Any array that moves data around without the client knowing about it and being able to map to all the blocks used means there are old parts of the image that where presented to the client that have the original data that can still be recovered. Things like a re-balance or an OSD server failure mean that some of the original data is on blocks that are no longer available. The only way to guarantee that your data is secure and no-one can read it is to control the actual code that does the encryption and to keep control of the encryption keys. Ie you do something on the client before you send it to the array. This is not a unique to Ceph problem but an issue for all arrays. Darren Soothill Looking for help with your Ceph cluster? Contact us at https://croit.io/ croit GmbH, Freseniusstr. 31h, 81247 Munich CEO: Martin Verges - VAT-ID: DE310638492 Com. register: Amtsgericht Munich HRB 231263 Web: https://croit.io/ | YouTube: https://goo.gl/PGE1Bx > On 8 Jun 2023, at 06:14, [email protected] wrote: > > Dear ceph folks, > > I bumped into an very interesting challenge, how to secure erase a rbd image > data without any encryption? > > The motivation is to ensure that there is no information leak on OSDs after > deleting a user specified rbd image, without the extra burden of using rbd > encryption. > > any ideas, suggestions are highly appreciated, > > > Samuel > > > > > > [email protected] > _______________________________________________ > ceph-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ ceph-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
