"secure" file flag?

[StefanEßer]

On 2003-11-22 11:04 +0100, Dag-Erling Smørgrav <des at des.no> wrote:
> Stefan Eßer <se at FreeBSD.org> writes:
> > I may be way off, but I do not think, that a special thread or 
> > a cache flush after each block is required: [...]
> 
> What happens if you yank the power cord?

Worst case: The same thing that happened, if the you lost power
a fraction of a second earlier, just before the unlink or loss
of last reference to the file ...

Nothing short of a self-destruct mechanism will do any better ;-)
(You could provide an internal UPS and try to prevent unauthorized
access to hardware components by sealing the components in a special
enclosing, but I guess we are getting carried away. Better protect
against unauthorized access to the computer and have it emergency
shutdown (with secure deletion of critical information) in case of
a (physical :) access violation.


Back to the subject of this thread:

You could write a special flag "needs to be securely removed" to
the inode. That way, an interrupted overwrite process could be 
continued after next reboot (for example initiated by fsck). This
is meant to protect against traces of sensible data being left on
the disk for a long time after a crash. But such an inode would also
indicate to an attacker the disk blocks that where considered needing
protection and may make an attack at the magnetic residue practical 
at all ...


But the real problem appears to be, when to mark the blocks and 
inode as free. Normally, the blocks are returned to the free block 
map when an inode is invalidated. File system blocks may not be 
reused, before the overwrite procedure has completed.

Again, this requires that the inode is only removed after the last 
file block has been processed. But I'm not sure whether there is 
a mechanism that allows invalidating the inode after the last 
associated buffer has been flushed ...

Regards, STefan