From owner-freebsd-fs@FreeBSD.ORG  Fri Jul 15 10:14:29 2005
Return-Path: <owner-freebsd-fs@FreeBSD.ORG>
X-Original-To: freebsd-fs@freebsd.org
Delivered-To: freebsd-fs@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2E30016A41C;
	Fri, 15 Jul 2005 10:14:29 +0000 (GMT) (envelope-from kreil@ebi.ac.uk)
Received: from maui.ebi.ac.uk (maui.ebi.ac.uk [193.62.196.100])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D0CD343D67;
	Fri, 15 Jul 2005 10:14:20 +0000 (GMT) (envelope-from kreil@ebi.ac.uk)
Received: from parrot.ebi.ac.uk (parrot.ebi.ac.uk [193.62.196.69])
	by maui.ebi.ac.uk (8.11.7+Sun/8.11.7) with ESMTP id j6FAEDQ21657;
	Fri, 15 Jul 2005 11:14:13 +0100 (BST)
Received: from parrot.ebi.ac.uk (kreil@localhost)
	by parrot.ebi.ac.uk (8.11.6/8.11.6) with ESMTP id j6FAEDt02003;
	Fri, 15 Jul 2005 11:14:13 +0100
Message-Id: <200507151014.j6FAEDt02003@parrot.ebi.ac.uk>
X-Mailer: exmh version 2.4 06/23/2000 with nmh-1.0.4
To: "Poul-Henning Kamp" <phk@haven.freebsd.dk>
In-Reply-To: Your message of "Fri, 15 Jul 2005 11:24:18 +0200."
	<9297.1121419458@phk.freebsd.dk> 
X-Habeas-SWE-1: winter into spring
X-Habeas-SWE-2: brightly anticipated
X-Habeas-SWE-3: like Habeas SWE (tm)
X-Habeas-SWE-4: Copyright 2002 Habeas (tm)
X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this
X-Habeas-SWE-6: email in exchange for a license for this Habeas
X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant
X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this
X-Habeas-SWE-9: mark in spam to <http://www.habeas.com/report/>.
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Date: Fri, 15 Jul 2005 11:14:13 +0100
From: David Kreil <kreil@ebi.ac.uk>
X-EBI-Information: This email is scanned using www.mailscanner.info.
X-EBI: Found to be clean
X-EBI-SpamCheck: not spam, SpamAssassin (score=-8, required 5,
	HABEAS_SWE -8.00)
Cc: freebsd-fs@freebsd.org, David Kreil <kreil@ebi.ac.uk>,
	freebsd-questions@freebsd.org
Subject: Re: gbde blackening feature - how can on disk keys be "destroyed" 
 thoroughly?
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
	<mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jul 2005 10:14:29 -0000


Dear Poul-Henning,

Thank you for your fast and friendly reply!

> In FreeBSD you need to study the cvs logs to see what happened.
> =

> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/geom/bde/?hideattic=3D0>

Ah, thanks!

> >You have been most helpful in our discussion last year. I have now, in=
 =

> >particular, been wondering whether you have since at all had a chance =
of =

> >revisiting the issue of blackening keys with multiple physical random =

> >overwrite before resetting them to zero to avoid key recovery by metho=
ds =

> >as available from companies like www.dataclinic.co.uk.
> =

> I have talked with some people from various disk manufactureres who
> know what they talk about and their unanimous advice is: "forget it".
> The geometry of modern disk R/W heads does not allow you to do anything=

> which will be really efficient.

This, however, would not matter due to the beauty of the gbde design! The=
 =

areas that one would need to "wipe" are very small. All we need to thorou=
ghly =

destroy are the keys, then the rest can safely stay in place.

So, even if one doesn't know how to disable device caching, if a typical =
disk =

cash is 8MB, I suppose one could flush it through by writing 20MB. so, if=
 one =

has |key|20MB bla| on disk and one wrote |random|20MB bla| that should ge=
 the =

"random" bits overwriting the key on disk (but for hardware level sector =

remapping but that is a rare event). One would have to bypass the operati=
ng =

system cache though but I guess you would know how to do that, right?
This should take less than 1s on a modern disk, i.e., less than half a mi=
nute =

for the entire procedure, x4 =3D 1-2 minutes, which should be fast enough=
 for a =

final destruction.

Would it be a lot of work for someone knowledgable to implement that? I'd=
 be =

happy to help but my knowledge of FreeBSD internals is sketchy to say the=
 =

least.

What do you think? I much look forward to hearing from you.

With best regards,

David.

-------------------------------------------------------------------------=
--
Dr David Philip Kreil               =

Research Fellow, Darwin College,  | WWTF Vienna Science Chair of
University of Cambridge		  | Bioinformatics, Dept of Biotechnology,
++44 1223 764107, fax 7092 810040 | c/o IAM / BOKU, A-1190 Muthgasse 18
www.inference.phy.cam.ac.uk/dpk20 | ++43 1 360066830