On 09-Feb-00 Andi Kleen wrote:
> On Wed, Feb 09, 2000 at 05:35:00PM +0100, Matthew Wilcox wrote:
> 
> [...]
> 
> How about secure deletion? 
> 
> 1.3 used to have some simple minded overwriting of deleted data when the 
> 's' attribute was set.  That got lost with 2.0+. 
> 
> Secure disk overwriting that is immune to 
> manual surface probing seems to take a lot more effort  (Colin Plumb's 
> sterilize does 25 overwrites with varying bit patterns). Such a complicated
> procedure is probably better kept in user space. What I would like is some
> way to have a sterilize daemon running, and when a get 's' file gets
> deleted the VFS would open a new file descriptor for it, pass it to 
> sterilized (sterild?) using a unix control message and let it do its job.
> 
> What does the audience think? Should such a facility have kernel support
> or not?  I think secure deletion is an interesting topic and it would be
> nice if Linux supported it better.

You have to be careful that you don't leak the file you're trying to eradicate
into the swap via the serilize daemon.  I guess simply never reading the file
is a good start.

The other question is whether you're talking about an ext2-specific thing, or
whether its a general service all filesystems provide.  Many filesystem
designs, including ext3 w/ journalling, reiserfs(?) and the NetApp Wafl
filesystem, don't let a process overwrite an existing block on disk.  Well,
ext3 does, but only via the journal; wafl never does.  There's also the
question of what happens when you have a RAID device under the filesystem,
especially with hot-swappable disks.

Perhaps a better approach, since we're talking about a privileged process, is
to get a list of raw blocks and go directly to the disk.  You'd have to be very
careful to synchronize with the filesystem...

        J

Reply via email to