Date: Thu, 28 Apr 2005 09:04:35 -0400 (EDT) From: "Robert Krten" <root@parse.com> To: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Cc: freebsd-fs@freebsd.org Subject: Re: Background block scrubbing Message-ID: <200504281304.JAA02215@parse.com> In-Reply-To: <867jin2a2p.fsf@xps.des.no> from "=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=" at Apr 27, 2005 11:17:50 PM
next in thread | previous in thread | raw e-mail | index | archive | help
=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?= sez... > > "Robert Krten" <root@parse.com> writes: > > Is there a utility that does background unused block scrubbing? > > > > What I'm thinking of is something that looks for unused blocks on the > > disk, and then writes zeros, then random, then more random, etc, to them > > for security applications. > > That's not how it's done. Here's a good explanation of how to do it > and why it must be done that way: > > http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html Thanks! > > It would need to have some cooperation from the filesystem so that it could > > lock down a block (or ten, or some number) at a time that it could then go > > and "scrub" during idle periods... Since it would only allocate a few > > blocks at a time, it wouldn't need to have a mechanism to release them (IMHO). > > To do this safely, you have to first scrub the entire disk before > partitioning / newfsing it, and when the disk is in use, scrub every > single block that has held data but no longer does as soon as it is > deallocated, and before reporting the I/O operation complete to the > filesystem. Performance would be abysmal (it takes 35 passes to fully > scrub each block), so in real life you'd be better off encrypting the > disk (using gbde or something similar), and only scrubbing or bulk > erasing it when you decomission it. Gotcha. I wasn't aware it was *35* :-) I was thinking/hoping more like 3 or 4 with random garbage. Thanks for the info! Cheers, -RK -- Robert Krten, PARSE Software Devices +1 613 599 8316. Realtime Systems Architecture, Consulting, Books and Training at www.parse.com Looking for Digital Equipment Corp. PDP-1 through PDP-15 minicomputers!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200504281304.JAA02215>