From owner-freebsd-questions@FreeBSD.ORG Mon Aug 25 18:24:49 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5C821F20 for ; Mon, 25 Aug 2014 18:24:49 +0000 (UTC) Received: from smtp-vbr6.xs4all.nl (smtp-vbr6.xs4all.nl [194.109.24.26]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0CDA03B66 for ; Mon, 25 Aug 2014 18:24:48 +0000 (UTC) Received: from slackbox.erewhon.home (slackbox.xs4all.nl [83.162.243.5]) by smtp-vbr6.xs4all.nl (8.13.8/8.13.8) with ESMTP id s7PIOeFR037843; Mon, 25 Aug 2014 20:24:41 +0200 (CEST) (envelope-from rsmith@xs4all.nl) Received: by slackbox.erewhon.home (Postfix, from userid 1001) id 9BA7F1244C; Mon, 25 Aug 2014 20:24:40 +0200 (CEST) Date: Mon, 25 Aug 2014 20:24:40 +0200 From: Roland Smith To: CyberLeo Kitsana Subject: Re: some ZFS questions Message-ID: <20140825182440.GA57059@slackbox.erewhon.home> Mail-Followup-To: CyberLeo Kitsana , Scott Bennett , kpneal@pobox.com, freebsd-questions@freebsd.org References: <201408070816.s778G9ug015988@sdf.org> <40AF5B49-80AF-4FE2-BA14-BFF86164EAA8@kraus-haus.org> <201408211007.s7LA7YGd002430@sdf.org> <20140822005911.GA52625@neutralgood.org> <201408241027.s7OARfEK004658@sdf.org> <53FB0AFD.6010507@cyberleo.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="a8Wt8u1KmwUX3Y2C" Content-Disposition: inline In-Reply-To: <53FB0AFD.6010507@cyberleo.net> X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.23 (2014-03-12) X-Virus-Scanned: by XS4ALL Virus Scanner Cc: Scott Bennett , freebsd-questions@freebsd.org, kpneal@pobox.com X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Aug 2014 18:24:49 -0000 --a8Wt8u1KmwUX3Y2C Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Aug 25, 2014 at 05:07:57AM -0500, CyberLeo Kitsana wrote: > On 08/24/2014 05:27 AM, Scott Bennett wrote: > > kpneal@pobox.com wrote: > >> What's the harm in encrypting all the data? > > > > High CPU overhead for both reading and writing is the main downside. > > AES-NI is fully supported for recent Intel CPUs, and can achieve some > pretty impressive throughputs. > > >> > >> In fact, encrypting all data is more secure. If you only encrypt the d= ata > > > > Sure, but why do it if the data don't need to be secret? > > Because it takes 6-8 hours to erase a 3TB hard disk; and, if the disk > fails, you can't always erase it before sending it back for RMA replaceme= nt. Are you following some kind of complex protocol? With a bog-standard 7.5k S= ATA drive on an Intel ICH9M controller I've measured write speeds (using =E2=80= =9Cdd if=3D/dev/zero=E2=80=9D) of 85500000 bytes/s. That would mean approximately 3.25 hours to wipe 3TB by filling it with zeroes. With modern drives the data density is so high that it is almost impossible= to retrieve single overwritten bits, let alone bytes or files if the complete disks was filled with zeroes. And this includes the situation where a magne= tic force microscopy (=E2=80=9CMFM=E2=80=9D) is used. [1][2] Also see the "Further Epilogue" to Gutmann's original article (see [2], scr= oll to the end); Any modern drive will most likely be a hopeless task, what with ultra-h= igh densities and use of perpendicular recording I don't see how MFM would = even get a usable image, and then the use of EPRML will mean that even if yo= u could magically transfer some sort of image into a file, the ability to decod= e that to recover the original data would be quite challenging. [1]: http://vocaro.com/trevor/blog/2006/09/18/the-myth-of-the-gutmann-metho= d/comment-page-1/#comment-156068 [2]: https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html If some government agency want access to your data they can probably find an excuse to subpeona your backup tapes rather than futz around trying to reco= ver erased data. Roland --=20 R.F.Smith http://rsmith.home.xs4all.nl/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 5753 3324 1661 B0FE 8D93 FCED 40F6 D5DC A38A 33E0 (keyID: A38A33E0) --a8Wt8u1KmwUX3Y2C Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJT+39oAAoJEED21dyjijPgU2gP/AggY1Xw7mXM+ic/vkoLZvK/ zJeBhtG6El+HB6/3xsg+pzVowUl5DAKebNsCIxOfEjV2Ln9SwuUJlDeh6SGE2c/C 8Eu8SRMHRaF8fvqca8d+q78LosNc645mr85OBgSYQ/2u1yKrijcpFydwYRo1igUV XuqrSEVPm8yBS56lwW/kVvS8MPUJ/5QcEUgQTC9UB0yF+J5pG8gI5zcqrTzLkLD7 IDqiqqtk7XwlaJKpOwiKC6osHmrvmLcE/D9StLovFzzRjxolZcsnx390AfS2Rd5z 7z2FswBk2Y0RD6c5gsl++cjyS8HR2Kwb2pi0ocK7BTzMxYV6KY81f32fkIMtN3Rh IXkQUk9bTDaxh2KYJ6XANzNDJqCMHrk/qAClaQ5aOiXtzL+nOux9R71bsrLmm97M s5LcZ0vmHf0KccCIyFwJPQpAyGMu17AEF7aqHxwk+qbGsT2BovwPMbw2V87tHORS e8gXLZlp8fbks89Z1vNbVBLrckzfcpM2PBwJqM5REiux1LTRKiDH075554RJSjuz llWmUeKSiE6dPx5u2nhWUFDFVx5ybroO6rVy0hHYI3CEJ/SaHudGZys4V/A988V8 D4KrQQD3FmBkCS7KOMBRBI4LeUUzLGmrneFR6+le3CqdDBolEmJwZoFMWrXyr2f/ b7v+hxImjJIDafA/c298 =r8Mh -----END PGP SIGNATURE----- --a8Wt8u1KmwUX3Y2C--