[openstack-dev] [ironic] Disk Eraser
Clark, Robert Graham
robert.clark at hp.com
Fri Jan 17 14:22:23 UTC 2014
On 17/01/2014 08:19, Robert Collins wrote:
> On 16 January 2014 03:31, Alan Kavanagh <alan.kavanagh at ericsson.com> wrote:
>> Hi fellow OpenStackers
>>
>>
>>
>> Does anyone have any recommendations on open source tools for disk
>> erasure/data destruction software. I have so far looked at DBAN and disk
>> scrubber and was wondering if ironic team have some better recommendations?
>
> So for Ironic this is a moderately low priority thing right now - and
> certainly I think it should be optional (what the default is is a
> different discussion).
>
> It's low priority because there are -so- many other concerns about
> sharing bare metal machines between tenants that don't have
> comprehensive mutual trust, that it's really not viable today (even on
> relatively recent platforms IMNSHO).
>
> -Rob
>
>
For all but the most paranoid of applications a single pass overwrite is
enough to ensure that all data is securely removed from a magnetic disk.
There is some truth to the claim that data can still be read after a
re-write, the technique is known as magnetic force microscopy
(https://www.usenix.org/legacy/publications/library/proceedings/sec96/full_papers/gutmann/index.html),
it's an incredibly expensive method of data recovery, used only by a few
organisations most of which I assume are intelligence agencies.
A single pass overwrite is fine for wiping the contents of a disk beyond
all reasonable means of recovery. If you're trying to protect your data
from recovery by intelligence agencies with access to the hardware,
there are probably a lot of more important things you need to do to
secure your data before you try to work out how many deban-re-writes you
want.
SSD's are more complicated because they have wear-leveling controllers
that spread data out in ways that mean you can't necessarily guarantee
that every block will get written during an overwrite.
If you'd like a more detailed answer I'm sure the folks in the OSSG
would be happy to help: openstack-security at lists.openstack.org
Cheers
-Rob
More information about the OpenStack-dev
mailing list