lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 14 Sep 2017 17:46:19 +0900
From:   Damien Le Moal <damien.lemoal@....com>
To:     Philipp Guendisch <philipp.guendisch@....de>,
        linux-kernel@...r.kernel.org
Cc:     linux-fsdevel@...r.kernel.org, linux-block@...r.kernel.org,
        axboe@...nel.dk, viro@...iv.linux.org.uk,
        bart.vanassche@...disk.com, martin.petersen@...cle.com,
        hare@...e.de, osandov@...com, dan.j.williams@...el.com,
        ming.lei@...hat.com, linux-kernel@...cs.fau.de,
        Mate Horvath <horvatmate@...il.com>
Subject: Re: [PATCH] Support for secure erase functionality

Philipp,

On 9/14/17 00:37, Philipp Guendisch wrote:
> This patch adds a software based secure erase option to improve data
> confidentiality. The CONFIG_BLK_DEV_SECURE_ERASE option enables a mount
> flag called 'sw_secure_erase'. When you mount a volume with this flag,
> every discard call is prepended by an explicit write command to overwrite
> the data before it is discarded. A volume without a discard compatibility
> can be used as well but the discard calls will be enabled for this device
> and suppressed after the write call is made.

Writing once to a sector stored on spinning rust will *not* fully erase
the previous data. Part of the signal used for storing that data will
remain on the track (because the disk head is never perfectly aligned on
the track). With some signal processing work, the old data can be retrieved.

You will need a *lot* of normal writes to make sure nothing remains of
the old data signal. Granted, even a single write will make it hard to
get to the old data, but it is possible nevertheless. Hence the standard
defined SANITIZE with cryptographic erase option to ensure that the old
data is really dead.

I think that a similar problem also exist for SSDs, and it is even worse
there since writing twice to the same logical sector does not even go to
the same physical sector. The old data is not even overwritten.

Writing to erase just makes reading the old data harder, but from a pure
security perspective, I do not think that works.

Best regards.

-- 
Damien Le Moal,
Western Digital

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ