Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deprovision: Implement device sanitization #374

Open
fionera opened this issue Jan 15, 2025 · 1 comment
Open

deprovision: Implement device sanitization #374

fionera opened this issue Jan 15, 2025 · 1 comment

Comments

@fionera
Copy link
Contributor

fionera commented Jan 15, 2025

As a sysadmin for a corporation with lots of compliance regulations, I want to be sure that my drives are properly sanitized when I deprovision a server. This includes support for the most common deletion sequences:

  • DoD Formatting
  • SCSI Self formatting
  • NVME Format
  • etc.

After a deletion is done, a log should be available containing all infos about the drives and their state in which they are to allow admins or third party vendors to verify that the drives where sanitized properly and can be reused/resold.
@lorenz
Copy link
Contributor

lorenz commented Jan 16, 2025

If you care about data security, isn't cryptographic erasure via TPM nvindex wipe much safer? At least flash-based devices generally leave readable data on the flash chips. Even spinning disks don't just linearly map through all available space.

ATA secure erase / NVMe sanitize is the only thing which has any hope of actually deleting data semi-permanently. And even that has been proven to not work sometimes. ATA secure erase has known reliability problems with firmware issues and controller timeouts, NVMe sanitize is mostly restricted to certain enterprise drives.

The most I would offer is three options (and I already feel uncomfortable with that many):

  1. Fast cryptographic erasure. Relies on the keys being destroyed by us. Only wipes partition table. Pseudorandom data is left on the devices. Takes seconds, very reliable.
  2. Clear. Relies on the keys being destroyed by us but also makes a best-effort attempt to present the disk as clean to the next user. Uses NVMe format for flash devices. Writes zeroes to other devices and trims if available. Slow for spinning disks and old flash-based devices. Very reliable.
  3. Sanitize. Uses NVMe sanitize, ATA secure erase or SCSI sanitize. Samples a few regions afterwards to check if no data is left. If not available on any disk the operation fails. Our security model still relies on cryptographic erasure, but assuming proper implementation by disk controllers the data can be expected to be permanently destroyed. Much less reliable than the other two, depends a lot more on sketchy firmware, long command timeouts and availability of specific optional functionality.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lorenz @fionera