On 09-Feb-00 Andi Kleen wrote:
> On Wed, Feb 09, 2000 at 05:35:00PM +0100, Matthew Wilcox wrote:
>
> [...]
>
> How about secure deletion?
>
> 1.3 used to have some simple minded overwriting of deleted data when the
> 's' attribute was set. That got lost with 2.0+.
>
> Secure disk overwriting that is immune to
> manual surface probing seems to take a lot more effort (Colin Plumb's
> sterilize does 25 overwrites with varying bit patterns). Such a complicated
> procedure is probably better kept in user space. What I would like is some
> way to have a sterilize daemon running, and when a get 's' file gets
> deleted the VFS would open a new file descriptor for it, pass it to
> sterilized (sterild?) using a unix control message and let it do its job.
>
> What does the audience think? Should such a facility have kernel support
> or not? I think secure deletion is an interesting topic and it would be
> nice if Linux supported it better.
You have to be careful that you don't leak the file you're trying to eradicate
into the swap via the serilize daemon. I guess simply never reading the file
is a good start.
The other question is whether you're talking about an ext2-specific thing, or
whether its a general service all filesystems provide. Many filesystem
designs, including ext3 w/ journalling, reiserfs(?) and the NetApp Wafl
filesystem, don't let a process overwrite an existing block on disk. Well,
ext3 does, but only via the journal; wafl never does. There's also the
question of what happens when you have a RAID device under the filesystem,
especially with hot-swappable disks.
Perhaps a better approach, since we're talking about a privileged process, is
to get a list of raw blocks and go directly to the disk. You'd have to be very
careful to synchronize with the filesystem...
J