fs_scrub_flags Code
Brought to you by:
przsie
Menu
▾
▴
Tree [69c908] master / History
| File | Date | Author | Commit |
|---|---|---|---|
| src | 2013-09-17 |
psi
|
[69c908] * added new test cases, added ext2fs test, refa... |
| tests | 2013-08-20 |
psi
|
[4febd3] Added: |
| README | 2013-09-17 |
psi
|
[69c908] * added new test cases, added ext2fs test, refa... |
| SYNCPOINTS | 2013-09-17 |
psi
|
[69c908] * added new test cases, added ext2fs test, refa... |
| fs_scrub.09.09.13.patch | 2013-09-10 |
psi
|
[8c53d8] * introduced distinction of user settable flag ... |
| fs_scrub.16.09.13.patch | 2013-09-17 |
psi
|
[69c908] * added new test cases, added ext2fs test, refa... |
| fs_scrub.19.08.13.patch | 2013-08-20 |
psi
|
[4febd3] Added: |
Read Me
================================================================================ 1. Introduction ================================================================================ This addition is being developed as a part of Google Summer of Code [1] program. It provides a user with an ability to have his or her files securely erased once deleted from the file system. This is to be done automatically (by the kernel) and only for files selected earlier, marked with a file flag. For example: $ chflags uscrub ~/.ssh/id_rsa $ rm ~/.ssh/id_rsa Now file contents are overwritten with garbage, in order to make their recovery directly from the backing store (eg. a HDD) (hopefully) impossible. ================================================================================ 2. Installation ================================================================================ First, apply the patch file [2] to a source tree (I have used current branch at state from 09.09.2013). Second, compile a release [3] (or build the kernel, libutil and update existing release). When SCRUB_DEBUG option is defined on compilation the mechanism produces some diagnostic messages (I put "options SCRUB_DEBUG" in my config). Finally, run the release (or copy freshly built binaries to your old one). ================================================================================ 3. Details ================================================================================ Currently, data blocks belonging to a file are filled with garbage and saved on the backing store NOPASSES times before being returned to the free blocks list. On ffs, there are two flags, uscrub for normal users and sscrub for super-users only. On ext2fs only uscrub flag is settable with chflags, as it is saved under the file system in terms of extattr (EXT2_SECRM), ================================================================================ 4. Testing ================================================================================ There is a basic atf script that checks for proper handling of secure erasure under ffs or ext2fs. $ atf-run /usr/tests/fs/ffs/t_scrub | atf-report $ atf-run /usr/tests/fs/ext2fs/t_scrub | atf-report ================================================================================ 5. Notes ================================================================================ 1. Some common use cases: # chflags sscrub /etc/passwd # chflags sscrub /etc/master.passwd # chflags sscrub /etc/pwd.db # chflags sscrub /etc/spwd.db # chflags sscrub /etc/ssh/ssh_host_*key # chflags sscrub /etc/pam.d/* $ chflags uscrub ~/.ssh/* 2. Snapshots are not currently supported, that means any blocks claimed by a snapshot won't be scrubbed. 3. File systems containing files marked with flags should work when mounted on kernels without the patch (provided that flags won't conflict in the future), but the functionality won't be there. 4. Users are adviced to keep the number of passes (and flags) reasonable, because of the time needed for erasure and wearing of devices, especially NAND memory based ones (eg. flash drives, SSDs). 5. Remember that default behavior when copying a file is to drop file flags, use -p to preserve them, eg. $ cp -p ~/.ssh/id_rsa backup/ ================================================================================ 6. CHANGELOG ================================================================================ [16.09] * added new test cases, added ext2fs test, refactored tests * fixed a bug in ext2fs version that would disallow truncation with flag * reordered the core mechanism * experimented with forcing hardware cache flushes between passes [09.09] * introduced distinction of user settable flag (uscrub) and super-user settable flag (sscrub) * moved the test under atf * started filling with prng * started a multi-pass option (grouping blocks) * fixed rump (building a release should now work) ================================================================================ 7. TODO ================================================================================ 1. Polish everything. 2. Add control via sysctl. 3. Rearrange tests more elegantly and reduce code duplication. 4. Test, fix bugs, improve general robustness. 5. Work on performance. [1] https://google-melange.appspot.com/gsoc/project/google/gsoc2013/psie/10001 [2] http://sourceforge.net/p/fsscrubflags/code/ci/master/tree/fs_scrub.16.09.13.patch [3] http://www.netbsd.org/docs/guide/en/chap-build.html
