On 23 October 2014 08:30, Preston L. Bannister <pres...@bannister.us> wrote: > John, > > As a (new) OpenStack developer, I just discovered the "CINDER_SECURE_DELETE" > option. > > As an *implicit* default, I entirely approve. Production OpenStack > installations should *absolutely* insure there is no information leakage > from one instance to the next. > > As an *explicit* default, I am not so sure. Low-end storage requires you do > this explicitly. High-end storage can insure information never leaks. > Counting on high level storage can make the upper levels more efficient, can > be a good thing. > > The debate about whether to wipe LV's pretty much massively depends on the > intelligence of the underlying store. If the lower level storage never > returns accidental information ... explicit zeroes are not needed.
The security requirements regarding wiping are totally and utterly site dependent - some places care and are happy to pay the cost (some even using an entirely pointless multi-write scrub out of historically rooted paranoia) where as some don't care in the slightest. LVM thin that John mentioned is no worse or better than most 'smart' arrays - unless you happen to hit a bug, it won't return previous info. That's a good default, if your site needs better then there are lots of config options to go looking into for a whole variety of things, and you should probably be doing your own security audits of the code base and other deep analysis, as well as reading and contributing to the security guide. _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev