On Mon, Mar 18, 2013 at 02:15:17PM -0400, Kyle wrote: > After reading through the btrfs documentation I'm curious to know if > it's possible to ever securely erase a file from a btrfs filesystem > (or ZFS for that matter).
Not really. It gets even worse for SSDs, because the SSD itself can be effectively CoW, with old pages lurking away in the flash storage where (with a bit of physical persuasion of the hardware) they can be read. So you have the same problem on SSDs even with non-CoW filesystems. > On non-COW filesystems atop regular HDDs one can simply overwrite > the file with zeros or random data using dd or some other tool and > rest assured that the blocks which contained the sensitive > information have been wiped. Assuming that anything that's modified the file since its creation hasn't written a copy and then overwritten it with rename(), of course... > However on btrfs it would seem any such attempt would write the > zeros/random data to a new location, leaving the old blocks with the > sensitive data intact. Further, since specifying NOCOW is only > possible for newly created files, there seems to be no way to > overwrite the appropriate blocks short of deleting the associated > file and then filling the entire free filesystem space with > zeros/random data such that the old blocks are eventually > overwritten. What's the verdict on this? Your analysis is pretty much correct, but should be expanded to a whole load of other data-leakage paths in generalised storage systems. Overwriting file contents hasn't really been a reliable method of erasing files for many years (if ever). Hugo. -- === Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk === PGP key: 65E74AC0 from wwwkeys.eu.pgp.net or http://www.carfax.org.uk --- Great oxymorons of the world, no. 3: Military Intelligence ---
signature.asc
Description: Digital signature
