some ZFS questions

Roland Smith rsmith at xs4all.nl
Mon Aug 25 18:24:49 UTC 2014 

On Mon, Aug 25, 2014 at 05:07:57AM -0500, CyberLeo Kitsana wrote:
> On 08/24/2014 05:27 AM, Scott Bennett wrote:
> > kpneal at pobox.com wrote:
> >> What's the harm in encrypting all the data?
> >
> > High CPU overhead for both reading and writing is the main downside.
>
> AES-NI is fully supported for recent Intel CPUs, and can achieve some
> pretty impressive throughputs.
>
> >>
> >> In fact, encrypting all data is more secure. If you only encrypt the data
> >
> > Sure, but why do it if the data don't need to be secret?
>
> Because it takes 6-8 hours to erase a 3TB hard disk; and, if the disk
> fails, you can't always erase it before sending it back for RMA replacement.

Are you following some kind of complex protocol? With a bog-standard 7.5k SATA
drive on an Intel ICH9M controller I've measured write speeds (using “dd if=/dev/zero”)
of 85500000 bytes/s. That would mean approximately 3.25 hours to wipe 3TB by
filling it with zeroes.

With modern drives the data density is so high that it is almost impossible to
retrieve single overwritten bits, let alone bytes or files if the complete
disks was filled with zeroes. And this includes the situation where a magnetic
force microscopy (“MFM”) is used. [1][2]

Also see the "Further Epilogue" to Gutmann's original article (see [2], scroll
to the end);

    Any modern drive will most likely be a hopeless task, what with ultra-high
    densities and use of perpendicular recording I don't see how MFM would even
    get a usable image, and then the use of EPRML will mean that even if you could
    magically transfer some sort of image into a file, the ability to decode that
    to recover the original data would be quite challenging.

[1]: http://vocaro.com/trevor/blog/2006/09/18/the-myth-of-the-gutmann-method/comment-page-1/#comment-156068
[2]: https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

If some government agency want access to your data they can probably find an
excuse to subpeona your backup tapes rather than futz around trying to recover
erased data.


Roland
-- 
R.F.Smith                                   http://rsmith.home.xs4all.nl/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 5753 3324 1661 B0FE 8D93  FCED 40F6 D5DC A38A 33E0 (keyID: A38A33E0)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20140825/067938a6/attachment.sig>

More information about the freebsd-questions mailing list