[openstack-dev] [ironic] Disk Eraser

Clark, Robert Graham robert.clark at hp.com
Fri Jan 17 14:22:23 UTC 2014

On 17/01/2014 08:19, Robert Collins wrote:
> On 16 January 2014 03:31, Alan Kavanagh <alan.kavanagh at ericsson.com> wrote:
>> Hi fellow OpenStackers
>> Does anyone have any recommendations on open source tools for disk
>> erasure/data destruction software. I have so far looked at DBAN and disk
>> scrubber and was wondering if ironic team have some better recommendations?
> So for Ironic this is a moderately low priority thing right now - and
> certainly I think it should be optional (what the default is is a
> different discussion).
> It's low priority because there are -so- many other concerns about
> sharing bare metal machines between tenants that don't have
> comprehensive mutual trust, that it's really not viable today (even on
> relatively recent platforms IMNSHO).
> -Rob

For all but the most paranoid of applications a single pass overwrite is 
enough to ensure that all data is securely removed from a magnetic disk.

There is some truth to the claim that data can still be read after a 
re-write, the technique is known as magnetic force microscopy 
it's an incredibly expensive method of data recovery, used only by a few 
organisations most of which I assume are intelligence agencies.

A single pass overwrite is fine for wiping the contents of a disk beyond 
all reasonable means of recovery. If you're trying to protect your data 
from recovery by intelligence agencies with access to the hardware, 
there are probably a lot of more important things you need to do to 
secure your data before you try to work out how many deban-re-writes you 

SSD's are more complicated because they have wear-leveling controllers 
that spread data out in ways that mean you can't necessarily guarantee 
that every block will get written during an overwrite.

If you'd like a more detailed answer I'm sure the folks in the OSSG 
would be happy to help: openstack-security at lists.openstack.org


More information about the OpenStack-dev mailing list