Subscribe
Accepted Solution

secure delete

Hello,

some customers require a "secure delete" for their files. Is it even possible to overwrite blocks of data on our filer or works the filesystem with COW? Has NetApp developed an equivalent function?

Thanks for your answers.

Re: secure delete

Hi and welcome to the forums!

Are you aware of Disk Sanitization feature?

(http://now.netapp.com/NOW/knowledge/docs/ontap/rel732_vs/pdfs/ontap/smg.pdf, page 33)

You need a license to use it, but the license is zero cost.

Regards,

Radek

Re: secure delete

Disk sanitation is useful when you are decommissioning an entire disk or set of disks. It doesn't work at the file level.

Due to the nature of WAFL (especially the "Write Anywhere" part), it's really tough to ensure as we don't reliably re-write blocks under the covers.  In most cases, this is very efficient, but it is troublesome for this use case.  Especially, but not only when snapshots are involved.

The closest thing NetApp can offer is DataFort encryption.  If you encrypt all of your data on disk through a DataFort or a device that supports it's keys (like certain Brocade switches) you can do data shredding by throwing away the key associated with a given file.  It's usually a massive overkill for most folks, but it works since the data is always encrypted, you don't have to worry about a secure delete because it's always secure.

I suppose if you were doing a SAN deployment and your host has filesystem level encryption, this would work as well. 

Hope this helps.

Re: secure delete

There is a bunch of OS-specific, 3rd party tools for secure shredding of single files, e.g. freeware File Shredder (I am sure there are more sophisticated products as well, chargeable, but with fancy certificates, etc.)

Re: secure delete

Yes, but WAFL may work against these products.  Since networked storage doesn't give you direct access to the real disks (it's all virtualized), the product must rely on the storage to write the blocks and that's where things can break. 

So let's say you have a utility that will overwrite a block 5 or 6 times with some pattern, then deletes it.  WAFL might over-write the block, or it might allocate a new block and free the old one, thus defeating the algorithm unintentionally.  If the file has block in question lives in a snapshot, then it's even worse since the original block stays around.

Re: secure delete

Yeah, you're right about WAFL sneakily preserving blocks from being overwritten.

For some customers "shredding" from the OS side could be good enough though. Actual blocks on disks may or may not be overwritten, but simple, host-side un-delete tools will find it impossible to recover a file (arguably 'manual' recovery by collecting WAFL blocks will be complex & tedious).

Re snapshots - to me it's obvious that if a snaphot exists, which is just a form of a backup copy, shredding the orriginal file isn't good enough & backup needs to be destroyed as well.

Interestingly enough NOW pages are talking about 'selective disk sanitization':

http://now.netapp.com/NOW/knowledge/docs/ontap/rel727_vs/html/ontap/smg/provisioning/concept/c_oc_prov_disk-sanitization-select.html#c_oc_prov_disk-sa...

The actual procedure though is still about shredding disks, not files or volumes, but additional (straightforward) steps are described for preserving files which are not meant to be destroyed.

Regards,
Radek

Re: secure delete

Thanks a lot for this tip, I think that will be the right path for our customer.

Re: secure delete

Hi Radek, the link is broken, do you have a copy you can email me please?! Thanks mate